CVE-2024-25108: 
PHP vulnerability analysis and mitigation

Pixelfed, an open source photo sharing platform, disclosed a critical vulnerability (CVE-2024-25108) affecting versions between v0.10.4 and v0.11.9. The vulnerability was discovered and reported on February 10, 2024, and involves improper authorization checks when processing requests, allowing attackers to access administrative and moderator functionality beyond their intended permissions (GitHub Advisory).

The vulnerability stems from insufficient authorization checks in the API implementation. When verifying request permissions, the system only validated user authentication via access token and resource ownership/admin status, without properly checking if the OAuth Application/Client had been granted access to specific API endpoints. This implementation flaw allows an access token with 'read' permissions to be used for 'write' or administrative actions without the user's knowledge. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L) (NVD).

The vulnerability affects all local users of Pixelfed servers and can potentially compromise server federation capabilities. Access tokens in Pixelfed have a 1-year lifetime, allowing attackers to conduct delayed attacks even after initial access is granted. Additionally, any leaked access tokens from third-party OAuth Application databases could be exploited for an extended period (GitHub Advisory).

The vulnerability has been patched in version 0.11.11. Users are strongly advised to upgrade to this version as there are no known workarounds for this vulnerability. The patch implements proper OAuth authorization checks on API endpoints (GitHub Patch).

The investigation and remediation of this security vulnerability were supported by the Nivenly Foundation, demonstrating industry collaboration in addressing security issues in the Fediverse and Pixelfed communities (GitHub Advisory).