CVE-2025-54593 (GCVE-0-2025-54593)
Vulnerability from cvelistv5 – Published: 2025-08-01 18:04 – Updated: 2025-08-01 18:32
VLAI?
Summary
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54593",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T18:31:35.795084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T18:32:59.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T18:04:40.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7477",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7477"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2"
}
],
"source": {
"advisory": "GHSA-jcww-48g9-wf57",
"discovery": "UNKNOWN"
},
"title": "FreshRSS is vulnerable to RCE attacks by authenticated admin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54593",
"datePublished": "2025-08-01T18:04:40.265Z",
"dateReserved": "2025-07-25T16:19:16.095Z",
"dateUpdated": "2025-08-01T18:32:59.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54593\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-01T18:15:55.740\",\"lastModified\":\"2025-08-25T17:38:29.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.\"},{\"lang\":\"es\",\"value\":\"FreshRSS es un agregador RSS gratuito y autoalojado. En las versiones 1.26.1 y anteriores, un usuario administrador autenticado puede ejecutar c\u00f3digo arbitrario en el servidor FreshRSS modificando la URL de actualizaci\u00f3n a una que controle y obtener la ejecuci\u00f3n del c\u00f3digo tras ejecutar una actualizaci\u00f3n. Tras ejecutar el c\u00f3digo correctamente, se pueden extraer datos del usuario, incluidas las contrase\u00f1as hash, y la instancia puede desfigurarse cuando los permisos de archivo lo permitan. Se puede insertar c\u00f3digo malicioso en la instancia para robar contrase\u00f1as de texto plano, entre otras cosas. Esto se solucion\u00f3 en la versi\u00f3n 1.26.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.26.2\",\"matchCriteriaId\":\"5750A689-0869-499D-8A26-E5088B31DDF4\"}]}]}],\"references\":[{\"url\":\"https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FreshRSS/FreshRSS/pull/7477\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54593\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-01T18:31:35.795084Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-01T18:32:55.941Z\"}}], \"cna\": {\"title\": \"FreshRSS is vulnerable to RCE attacks by authenticated admin\", \"source\": {\"advisory\": \"GHSA-jcww-48g9-wf57\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FreshRSS\", \"product\": \"FreshRSS\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.26.2\"}]}], \"references\": [{\"url\": \"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57\", \"name\": \"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FreshRSS/FreshRSS/pull/7477\", \"name\": \"https://github.com/FreshRSS/FreshRSS/pull/7477\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101\", \"name\": \"https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2\", \"name\": \"https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-01T18:04:40.265Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54593\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-01T18:32:59.897Z\", \"dateReserved\": \"2025-07-25T16:19:16.095Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-01T18:04:40.265Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…