CVE-2025-62166
📋 TL;DR
FreshRSS versions before 1.28.0 contain an authentication bypass vulnerability in master token logic. When anonymous viewing is enabled, attackers can access private RSS feeds belonging to users other than the default user. This affects all FreshRSS instances with anonymous viewing enabled.
💻 Affected Systems
- FreshRSS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could access sensitive RSS feeds containing confidential information, corporate intelligence, or personal data from all users on the vulnerable instance.
Likely Case
Information disclosure of private RSS feeds, potentially exposing sensitive personal or organizational information that users believed was protected.
If Mitigated
Limited impact if anonymous viewing is disabled or if the instance only has the default user configured.
🎯 Exploit Status
Exploitation appears straightforward based on the advisory description - bypassing master token authentication checks when anonymous viewing is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.28.0
Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh
Restart Required: Yes
Instructions:
1. Backup your FreshRSS instance and database. 2. Download FreshRSS 1.28.0 from the official repository. 3. Replace existing files with the new version. 4. Restart your web server. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Anonymous Viewing
allDisable anonymous viewing in FreshRSS configuration to prevent exploitation of this vulnerability.
Edit config.php and set 'allow_anonymous' => false
Edit config.php and set 'allow_anonymous_refresh' => false
🧯 If You Can't Patch
- Disable anonymous viewing in FreshRSS configuration immediately.
- Restrict network access to the FreshRSS instance to trusted users only.
🔍 How to Verify
Check if Vulnerable:
Check if FreshRSS version is below 1.28.0 and anonymous viewing is enabled in configuration.Check Version:
Check the version displayed in FreshRSS web interface or examine the CHANGELOG.md file in the installation directory.Verify Fix Applied:
Verify FreshRSS version is 1.28.0 or higher and test that private user feeds cannot be accessed anonymously.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to user-specific RSS feed URLs from unauthenticated IPs
- Access attempts to /i/c/ URLs for non-default users without authentication
Network Indicators:
- HTTP requests to user-specific feed endpoints without authentication cookies or tokens
SIEM Query:
web_access_logs WHERE (url CONTAINS '/i/c/' AND NOT (user_agent CONTAINS 'FreshRSS' OR authenticated_user EXISTS))