CVE-2025-59950 – This vulnerability in FreshRSS allows attackers... (How to Fix)

Q: What is the severity of CVE-2025-59950?

CVE-2025-59950 has a CVSS score of 6.7 (MEDIUM). This vulnerability in FreshRSS allows attackers to trick administrators into promoting unauthorized users to admin privileges through a double clickjacking bypass. Attackers need to know the target instance URL and lure an admin to click on a malicious website. This affects all FreshRSS instances running version 1.26.3 or below.

📋 TL;DR

This vulnerability in FreshRSS allows attackers to trick administrators into promoting unauthorized users to admin privileges through a double clickjacking bypass. Attackers need to know the target instance URL and lure an admin to click on a malicious website. This affects all FreshRSS instances running version 1.26.3 or below.

💻 Affected Systems

Products:

FreshRSS

Versions: 1.26.3 and below

Operating Systems: All operating systems running FreshRSS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The attack requires admin interaction with a malicious website.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative access, can compromise all user accounts, modify system configuration, and potentially execute arbitrary code through admin privileges.

🟠

Likely Case

Attacker promotes themselves to admin, accesses sensitive user data, and maintains persistent access to the RSS aggregator instance.

🟢

If Mitigated

With proper user awareness training and access controls, the attack requires social engineering success and may be detected through audit logs.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who can craft malicious websites targeting known instance URLs.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable if attackers have internal network access or can trick admins via internal phishing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick an admin, knowledge of the target instance URL, and crafting of a malicious website with clickjacking.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.27.0

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3

Restart Required: No

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.27.0 from the official repository. 3. Replace the existing installation files with the new version. 4. Verify the update by checking the version in the admin interface.

🔧 Temporary Workarounds

Implement Content Security Policy Frame Ancestors

all

Add CSP header to prevent framing of FreshRSS pages by external sites

Add to web server config: Header set Content-Security-Policy "frame-ancestors 'self'"

X-Frame-Options Header

all

Prevent page framing with X-Frame-Options header

Add to web server config: Header set X-Frame-Options "SAMEORIGIN"

🧯 If You Can't Patch

Implement strict Content Security Policy with frame-ancestors directive
Admin user awareness training about clickjacking risks and suspicious websites

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in admin interface or via git tag. If version is 1.26.3 or below, you are vulnerable.

Check Version:

Check FreshRSS version via admin panel or examine version in app/constants.php

Verify Fix Applied:

After updating, verify version shows 1.27.0 or higher in admin interface. Test that confirmation dialogs appear properly for admin actions.

📡 Detection & Monitoring

Log Indicators:

Unexpected user privilege changes from 'default' to 'admin'
Admin actions from unusual IP addresses or user agents
Multiple failed login attempts followed by successful privilege escalation

Network Indicators:

HTTP requests with suspicious referer headers pointing to external domains
Unusual patterns of admin page accesses

SIEM Query:

source="freshrss.log" AND (event="user_privilege_change" OR event="admin_action") AND (user_role_changed="admin" OR action="promote_user")

📊 Metadata

CVE ID: CVE-2025-59950

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-1021

EPSS Score: 0.05% exploit probability (15.8th percentile)

Published: September 30, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/FreshRSS/FreshRSS/pull/7771 Patch
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 Release Notes
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3 Exploit,Vendor Advisory
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59950, you might also want to check these: