Home

Description

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.

PUBLISHED Reserved 2025-08-27 | Published 2025-12-15 | Updated 2025-12-16 | Assigner GitHub_M




HIGH: 7.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-20: Improper Input Validation

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

>= 1.23.0, < 1.27.1
affected

References

github.com/...eshRSS/security/advisories/GHSA-6c8h-w3j5-j293 exploit

github.com/...eshRSS/security/advisories/GHSA-6c8h-w3j5-j293

github.com/FreshRSS/FreshRSS/pull/7878

github.com/FreshRSS/FreshRSS/pull/7971

github.com/FreshRSS/FreshRSS/pull/7979

github.com/...ommit/79604aa4b3051f083d1734bd9e82c6a89d785c5a

github.com/...ommit/dbbae15a8458679db0f4540dacdbdcff9c02ec8c

github.com/...ommit/ee175dd6169a016fc898fac62d046e22c205dec0

cve.org (CVE-2025-58173)

nvd.nist.gov (CVE-2025-58173)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.