Login Sign Up

CVE-2025-61586

5.3 MEDIUM
Path Traversal

📋 TL;DR

FreshRSS versions 1.26.3 and below contain a path traversal vulnerability in the theme field that allows attackers to enumerate server directories. This can reveal sensitive information about the server's file structure. Only self-hosted FreshRSS instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • FreshRSS
Versions: 1.26.3 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects self-hosted instances; cloud/SaaS deployments are not affected.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map the server's directory structure, potentially discovering configuration files, backup directories, or other sensitive paths that could lead to further exploitation.

🟠

Likely Case

Information disclosure about server directory structure, which could aid attackers in planning more targeted attacks.

🟢

If Mitigated

Limited information disclosure with no direct access to file contents, only directory existence checks.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to modify theme settings, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.27.0

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f

Restart Required: No

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.27.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Verify the update was successful by checking the version in the admin interface.

🔧 Temporary Workarounds

Restrict theme modification permissions

all

Limit which users can modify theme settings to trusted administrators only.

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from modifying theme settings.
  • Monitor logs for unusual theme modification attempts or directory enumeration patterns.

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in admin interface or by examining the installation directory. Versions 1.26.3 and below are vulnerable.

Check Version:

Check FreshRSS admin dashboard or examine /app/constants.php for version information.

Verify Fix Applied:

Verify version is 1.27.0 or higher in admin interface. Test theme functionality to ensure it works normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual theme modification requests
  • Multiple failed directory path attempts in theme settings

Network Indicators:

  • HTTP requests with unusual path patterns in theme parameters

SIEM Query:

source="freshrss" AND (event="theme_update" OR parameters CONTAINS "../" OR parameters CONTAINS "/etc/")

📊 Metadata

CVE ID: CVE-2025-61586
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-22
EPSS Score: 0.09% exploit probability (24.5th percentile)
Published: September 30, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61586, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)