Home

Description

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

PUBLISHED Reserved 2025-12-15 | Published 2025-12-26 | Updated 2025-12-29 | Assigner GitHub_M




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

>= 1.27.0, < 1.28.0
affected

References

github.com/...eshRSS/security/advisories/GHSA-qw34-frg7-gf78 exploit

github.com/...eshRSS/security/advisories/GHSA-qw34-frg7-gf78

github.com/FreshRSS/FreshRSS/pull/8029

github.com/...ommit/7d4854a0a4f5665db599f18c34035786465639f3

cve.org (CVE-2025-68148)

nvd.nist.gov (CVE-2025-68148)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.