CVE-2025-31482 – FreshRSS versions before 1.26.2 contain a cross... (How to Fix)

Q: What is the severity of CVE-2025-31482?

CVE-2025-31482 has a CVSS score of 4.3 (MEDIUM). FreshRSS versions before 1.26.2 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious RSS feed entry to repeatedly log out a user. This causes denial of service for affected users by preventing them from staying logged into their FreshRSS instance. Only users who subscribe to or fetch malicious RSS feeds are affected.

📋 TL;DR

FreshRSS versions before 1.26.2 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious RSS feed entry to repeatedly log out a user. This causes denial of service for affected users by preventing them from staying logged into their FreshRSS instance. Only users who subscribe to or fetch malicious RSS feeds are affected.

💻 Affected Systems

Products:

FreshRSS

Versions: All versions before 1.26.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who fetch RSS feeds from external sources; self-contained instances without external feed subscriptions are not vulnerable.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Targeted users are persistently logged out and unable to access their RSS feeds, effectively denying them service until they stop fetching the malicious feed.

🟠

Likely Case

Users who subscribe to compromised or malicious RSS feeds experience repeated logout sessions and degraded usability.

🟢

If Mitigated

With proper CSRF protections and feed validation, impact is minimal as legitimate feeds won't trigger the vulnerability.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to fetch a malicious RSS feed entry; no authentication bypass is involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.2

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp

Restart Required: No

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.26.2 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Clear browser cache if experiencing issues.

🔧 Temporary Workarounds

Disable external feed fetching

all

Temporarily prevent fetching of external RSS feeds to avoid triggering the vulnerability

Use trusted feeds only

all

Limit RSS subscriptions to known, trusted sources until patched

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious RSS feed patterns
Monitor user logout events and investigate frequent occurrences

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in the web interface or by examining the installation directory

Check Version:

Check the bottom of any FreshRSS web page or examine the constants.php file for version information

Verify Fix Applied:

After updating, verify version shows 1.26.2 or later and test that legitimate RSS feeds no longer cause logout issues

📡 Detection & Monitoring

Log Indicators:

Frequent user logout events
Failed authentication attempts from valid users
Errors related to session handling

Network Indicators:

Unusual RSS feed requests from user sessions
Patterns of repeated authentication requests

SIEM Query:

source="freshrss.log" AND ("logout" OR "session expired") AND count by user > threshold

📊 Metadata

CVE ID: CVE-2025-31482

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-352

EPSS Score: 0.05% exploit probability (15.1th percentile)

Published: June 4, 2025

Last Updated: August 12, 2025

🔗 References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31482, you might also want to check these: