CVE-2025-30741: Pixelfed may allow unauthorized actor to view private posts and private users

March 25, 2025 (updated March 26, 2025)

Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.

References

fokus.cool/2025/03/25/pixelfed-vulnerability.html
github.com/advisories/GHSA-7287-grhx-542x
github.com/pixelfed/pixelfed
github.com/pixelfed/pixelfed/releases/tag/v0.12.5
mastodon.social/@pixelfed/114215925957179498
news.ycombinator.com/item?id=43474425
nvd.nist.gov/vuln/detail/CVE-2025-30741

Code Behaviors & Features

Detect and mitigate CVE-2025-30741 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →