CVE-2025-58173
📋 TL;DR
This vulnerability in FreshRSS allows unprivileged users to perform path traversal via the language configuration parameter, enabling them to access install.php and execute administrative actions. Attackers can create admin accounts, hijack database connections, and potentially execute arbitrary code through malicious feed parameters. Users running FreshRSS versions 1.23.0 through 1.27.0 are affected.
💻 Affected Systems
- FreshRSS
📦 What is this software?
Freshrss by Freshrss
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, admin account takeover, and database hijacking leading to data theft or destruction.
Likely Case
Unauthorized admin account creation leading to privilege escalation and potential data manipulation.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external exploitation.
🎯 Exploit Status
The vulnerability requires minimal technical skill to exploit and has clear attack paths documented in the CVE description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.1
Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories
Restart Required: No
Instructions:
1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.27.1 or later from the official repository. 3. Replace the existing installation files with the patched version. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Restrict access to install.php
allBlock direct access to install.php via web server configuration
# For Apache: add to .htaccess
<Files "install.php">
Require all denied
</Files>
# For Nginx: add to server block
location ~ /install\.php$ {
deny all;
}
Remove install.php after setup
linuxDelete or rename install.php file after initial installation
rm /path/to/freshrss/install.php
mv /path/to/freshrss/install.php /path/to/freshrss/install.php.disabled
🧯 If You Can't Patch
- Implement strict network access controls to limit FreshRSS access to trusted IP addresses only.
- Monitor for unauthorized admin account creation and unexpected database connection changes.
🔍 How to Verify
Check if Vulnerable:
Check FreshRSS version in the web interface footer or by examining the constants.php file for FRESHRSS_VERSION constant.Check Version:
grep "FRESHRSS_VERSION" /path/to/freshrss/constants.phpVerify Fix Applied:
Confirm version is 1.27.1 or higher and verify the language parameter validation prevents path traversal.📡 Detection & Monitoring
Log Indicators:
- Access to install.php from non-admin users
- Unexpected admin user creation
- Database configuration changes
- Unusual language parameter values containing path traversal sequences
Network Indicators:
- HTTP requests with language parameter containing '../' sequences
- Requests to install.php from unauthorized sources
SIEM Query:
source="web_access_logs" AND (uri="*install.php*" OR param="*language*../*")🔗 References
- https://github.com/FreshRSS/FreshRSS/commit/79604aa4b3051f083d1734bd9e82c6a89d785c5a#diff-49280171b6e7964e21a0270427e56eacb47b8ac562593a01ad4bc74b49f840c7R135
- https://github.com/FreshRSS/FreshRSS/commit/dbbae15a8458679db0f4540dacdbdcff9c02ec8c#diff-63f610c36d0f2555c1787f6d0804f46f4df6e0f918dfe03408309039abf6efebL85-L88
- https://github.com/FreshRSS/FreshRSS/commit/ee175dd6169a016fc898fac62d046e22c205dec0#diff-6ebff7743ede829cf5a7f0e4566b42023a2d4779cc8d7e96fefec116f2292174R190-R194
- https://github.com/FreshRSS/FreshRSS/pull/7878
- https://github.com/FreshRSS/FreshRSS/pull/7971
- https://github.com/FreshRSS/FreshRSS/pull/7979
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293
