CVE-2025-30741: 
PHP vulnerability analysis and mitigation

CVE-2025-30741 affects Pixelfed versions before 0.12.5, allowing unauthorized access to private posts on other Fediverse servers. The vulnerability was discovered on March 14, 2025, and publicly disclosed on March 25, 2025. The issue impacts users across the Fediverse who have followers from any Pixelfed instance (Fokus Blog).

The vulnerability stems from an implementation mistake in Pixelfed's ActivityPub handling where it ignores the as:manuallyApprovesFollowers property for remote accounts and immediately treats follow attempts as completed, regardless of the target server's response. This bypasses the two-way handshake process required by ActivityPub specifications. The issue has a CVSS v3.1 base score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

When a legitimate user from a Pixelfed instance follows a private account on another Fediverse server, any user on that Pixelfed instance can read the private posts of the target account. This affects users across the Fediverse, even if they don't use Pixelfed themselves. The impact is particularly significant due to the concentration of Pixelfed users on few large instances, with pixelfed.social being the largest (Fokus Blog).

The vulnerability has been patched in Pixelfed version 0.12.5. Instance administrators are advised to update their installations immediately. The update requires PHP 8.3+ and includes significant changes beyond the security fix (GitHub Release).

The handling of the vulnerability disclosure received criticism from the security community. The researcher's request for coordinated disclosure was not followed, and the fix was pushed to the public repository before a proper security advisory could be issued. The Pixelfed maintainer's response and communication during the disclosure process was considered poor by the security researcher (Fokus Blog, HN Discussion).