Login Sign Up

CVE-2025-57769

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

FreshRSS versions 1.26.3 and below contain a UI redressing vulnerability where attackers can trick authenticated users into performing unintended actions via iframe manipulation. This can lead to privilege escalation by promoting users to admin roles or cross-site scripting (XSS) by injecting malicious JavaScript. Self-hosted FreshRSS instances with authenticated users are affected.

💻 Affected Systems

Products:
  • FreshRSS
Versions: 1.26.3 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user interaction; self-hosted instances only.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges through user promotion, then execute arbitrary JavaScript leading to complete system compromise, data theft, or further attacks.

🟠

Likely Case

Authenticated users are tricked into promoting attackers to admin roles, enabling privilege escalation and limited XSS attacks within the FreshRSS interface.

🟢

If Mitigated

With proper content security policies and iframe restrictions, impact is limited to UI confusion without successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to trick authenticated users; exploitation depends on iframe embedding capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.27.0

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw

Restart Required: No

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.27.0 from GitHub releases. 3. Replace existing files with new version. 4. Clear browser cache for all users.

🔧 Temporary Workarounds

Restrict iframe embedding

all

Implement Content Security Policy (CSP) headers to prevent iframe embedding of FreshRSS pages.

Add to web server config: Content-Security-Policy: frame-ancestors 'self';

🧯 If You Can't Patch

  • Disable user registration and limit authenticated users to trusted individuals only.
  • Implement strict CSP headers and monitor for suspicious iframe embedding attempts.

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in admin interface or by examining the version.txt file in the installation directory.

Check Version:

cat /path/to/freshrss/version.txt

Verify Fix Applied:

Confirm version is 1.27.0 or higher in admin interface; test iframe embedding attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts followed by successful login and user role changes
  • Unusual iframe referrer headers in access logs

Network Indicators:

  • HTTP requests with suspicious iframe-related headers
  • Unexpected POST requests to user promotion endpoints

SIEM Query:

source="freshrss" (event="user_promoted" OR event="iframe_embed")

📊 Metadata

CVE ID: CVE-2025-57769
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.07% exploit probability (20.8th percentile)
Published: September 29, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57769, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)