CVE-2020-25787 – CVE-2020-25787 is a critical vulnerability in T... (How to Fix)

Q: What is the severity of CVE-2020-25787?

CVE-2020-25787 has a CVSS score of 9.8 (CRITICAL). CVE-2020-25787 is a critical vulnerability in Tiny Tiny RSS (tt-rss) that allows remote code execution due to improper URL validation. Attackers can exploit this by tricking the application into making requests to malicious URLs, potentially leading to full server compromise. All tt-rss installations before version 2020-09-16 are affected.

📋 TL;DR

CVE-2020-25787 is a critical vulnerability in Tiny Tiny RSS (tt-rss) that allows remote code execution due to improper URL validation. Attackers can exploit this by tricking the application into making requests to malicious URLs, potentially leading to full server compromise. All tt-rss installations before version 2020-09-16 are affected.

💻 Affected Systems

Products:

Tiny Tiny RSS (tt-rss)

Versions: All versions before 2020-09-16

Operating Systems: All platforms running tt-rss

Default Config Vulnerable: ⚠️ Yes

Notes: All installations are vulnerable regardless of configuration.

📦 What is this software?

Tiny Tiny Rss by Tt Rss

View all CVEs affecting Tiny Tiny Rss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with arbitrary code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell installation, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls are in place, though risk remains significant.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and exploit is unauthenticated.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and detailed write-ups are available. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020-09-16 or later

Vendor Advisory: https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799

Restart Required: No

Instructions:

1. Backup your tt-rss installation and database. 2. Update to version 2020-09-16 or later via git: 'git pull origin master'. 3. Run update.php if prompted. 4. Clear browser cache.

🔧 Temporary Workarounds

Network-based URL filtering

all

Block outgoing HTTP requests from tt-rss to untrusted domains using firewall rules or web application firewall.

Disable external feed fetching

all

Temporarily disable external feed fetching functionality if not critical.

Edit config.php: define('DISABLE_FEED_FETCHING', true);

🧯 If You Can't Patch

Isolate tt-rss server in a restricted network segment with no internet egress.
Implement strict web application firewall rules to block malicious URL patterns.

🔍 How to Verify

Check if Vulnerable:

Check version in config.php or via git log. If version date is before 2020-09-16, you are vulnerable.

Check Version:

grep 'define("VERSION"' config.php || git log --oneline -1

Verify Fix Applied:

Confirm version is 2020-09-16 or later. Check commit c3d14e1fa54c7dade7b1b7955575e2991396d7ef is present.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to internal services from tt-rss
Suspicious PHP process execution
Unexpected outbound connections from tt-rss server

Network Indicators:

HTTP requests from tt-rss to unusual domains or internal IPs
POST requests with encoded payloads to tt-rss

SIEM Query:

source="tt-rss-logs" AND (url="*://*" OR process="php*" AND parent="tt-rss")

📊 Metadata

CVE ID: CVE-2020-25787

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: September 19, 2020

Last Updated: December 23, 2025

🔗 References

http://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://blog.neagaru.com/p/exploiting-tiny-tiny-rss-2020
https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799 Vendor Advisory
https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef Patch,Vendor Advisory
http://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799 Vendor Advisory
https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25787, you might also want to check these: