CVE-2025-46341
📋 TL;DR
FreshRSS versions before 1.26.2 contain an authentication bypass vulnerability when using HTTP auth via reverse proxy. Attackers with an account on the instance can impersonate any user by manipulating Remote-User or X-WebAuth-User headers during feed addition, potentially gaining unauthorized access to internal services and escalating privileges. Only instances using HTTP auth via reverse proxy are affected.
💻 Affected Systems
- FreshRSS
📦 What is this software?
Freshrss by Freshrss
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to privilege escalation, unauthorized access to internal services, and potential data exfiltration or system compromise.
Likely Case
Unauthorized access to other users' RSS feeds and personal data, with potential privilege escalation if admin credentials are known.
If Mitigated
Limited impact with proper network segmentation and authentication controls in place.
🎯 Exploit Status
Requires attacker to have an account on the instance, know the admin username, and know the IP address of the proxied FreshRSS instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.26.2
Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w3m8-wcf4-h8vm
Restart Required: Yes
Instructions:
1. Backup your FreshRSS installation and database. 2. Update FreshRSS to version 1.26.2 or later. 3. Restart the web server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable HTTP Auth via Reverse Proxy
allSwitch to native FreshRSS authentication methods instead of relying on reverse proxy authentication headers.
Filter Suspicious Headers
linuxConfigure reverse proxy to strip or validate Remote-User and X-WebAuth-User headers before forwarding to FreshRSS.
# For nginx: add_header Remote-User '';
# For Apache: RequestHeader unset Remote-User
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the FreshRSS instance
- Enable detailed logging and monitoring for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if using FreshRSS version <1.26.2 with HTTP auth via reverse proxy configuration.Check Version:
Check FreshRSS admin interface or view /data/config.php for version informationVerify Fix Applied:
Confirm FreshRSS version is 1.26.2 or later and test authentication with reverse proxy headers.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication attempts with different Remote-User headers
- Unusual feed addition requests from single IP
Network Indicators:
- HTTP requests containing manipulated Remote-User or X-WebAuth-User headers
- CSRF token scraping patterns
SIEM Query:
source="freshrss" AND (header="Remote-User" OR header="X-WebAuth-User") AND user_changed=true