cve-2025-54593
Vulnerability from cvelistv5
Published
2025-08-01 18:04
Modified
2025-08-01 18:32
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
FreshRSS is vulnerable to RCE attacks by authenticated admin
References
security-advisories@github.comhttps://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101
security-advisories@github.comhttps://github.com/FreshRSS/FreshRSS/pull/7477
security-advisories@github.comhttps://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2
security-advisories@github.comhttps://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57
Impacted products
FreshRSSFreshRSS
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54593",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-01T18:31:35.795084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-01T18:32:59.897Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FreshRSS",
          "vendor": "FreshRSS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.26.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-01T18:04:40.265Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57"
        },
        {
          "name": "https://github.com/FreshRSS/FreshRSS/pull/7477",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreshRSS/FreshRSS/pull/7477"
        },
        {
          "name": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101"
        },
        {
          "name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2"
        }
      ],
      "source": {
        "advisory": "GHSA-jcww-48g9-wf57",
        "discovery": "UNKNOWN"
      },
      "title": "FreshRSS is vulnerable to RCE attacks by authenticated admin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54593",
    "datePublished": "2025-08-01T18:04:40.265Z",
    "dateReserved": "2025-07-25T16:19:16.095Z",
    "dateUpdated": "2025-08-01T18:32:59.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54593\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-01T18:15:55.740\",\"lastModified\":\"2025-08-04T15:06:15.833\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.\"},{\"lang\":\"es\",\"value\":\"FreshRSS es un agregador RSS gratuito y autoalojado. En las versiones 1.26.1 y anteriores, un usuario administrador autenticado puede ejecutar c\u00f3digo arbitrario en el servidor FreshRSS modificando la URL de actualizaci\u00f3n a una que controle y obtener la ejecuci\u00f3n del c\u00f3digo tras ejecutar una actualizaci\u00f3n. Tras ejecutar el c\u00f3digo correctamente, se pueden extraer datos del usuario, incluidas las contrase\u00f1as hash, y la instancia puede desfigurarse cuando los permisos de archivo lo permitan. Se puede insertar c\u00f3digo malicioso en la instancia para robar contrase\u00f1as de texto plano, entre otras cosas. Esto se solucion\u00f3 en la versi\u00f3n 1.26.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FreshRSS/FreshRSS/pull/7477\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.