CVE-2025-54592
📋 TL;DR
FreshRSS versions 1.26.3 and below have a session management vulnerability where logout doesn't properly invalidate session cookies. This allows attackers to hijack user sessions by reusing old cookies, potentially gaining unauthorized access to RSS feeds and user data. All users running vulnerable versions are affected.
💻 Affected Systems
- FreshRSS
📦 What is this software?
Freshrss by Freshrss
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to all RSS feeds, configuration changes, and potential data exfiltration.
Likely Case
Session hijacking where attackers can read private RSS feeds and access user preferences.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still presents authentication bypass risk.
🎯 Exploit Status
Exploitation requires obtaining a valid session cookie, which can be done through various means including XSS, network sniffing, or physical access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.0
Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr
Restart Required: Yes
Instructions:
1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.27.0 from GitHub releases. 3. Replace existing files with new version. 4. Restart web server. 5. Verify logout functionality works correctly.
🔧 Temporary Workarounds
Force Session Regeneration
allImplement custom logout handler that regenerates session ID and clears cookies
# Add to logout.php or equivalent:
session_regenerate_id(true);
session_destroy();
setcookie(session_name(), '', time() - 3600, '/');
🧯 If You Can't Patch
- Implement short session timeouts (e.g., 15-30 minutes) to limit exposure window
- Deploy WAF rules to detect and block session fixation attempts
🔍 How to Verify
Check if Vulnerable:
Check FreshRSS version in admin panel or by examining version.php file. If version is 1.26.3 or lower, system is vulnerable.Check Version:
grep "define('FRESHRSS_VERSION'," /path/to/freshrss/constants.php | cut -d"'" -f4Verify Fix Applied:
After patching: 1. Log in to FreshRSS. 2. Log out. 3. Try to reuse old session cookie - it should be rejected. 4. Verify version shows 1.27.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same session ID after logout events
- Session IDs being reused across different IP addresses
Network Indicators:
- HTTP requests with old session cookies after logout
- Unusual authentication patterns
SIEM Query:
source="freshrss" (event="logout" OR event="login") | stats count by session_id, src_ip | where count > 1