Login Sign Up

CVE-2025-68148

4.3 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in FreshRSS allows attackers to globally deny access to RSS feeds by manipulating proxy responses to return HTTP 429 Retry-After headers for multiple feeds. This makes the instance unusable for most users through a denial-of-service attack. Only self-hosted FreshRSS instances running versions 1.27.0 through 1.27.x are affected.

💻 Affected Systems

Products:
  • FreshRSS
Versions: 1.27.0 to 1.27.x (before 1.28.0)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances using proxy functionality for feed fetching. Self-hosted deployments are vulnerable.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where all users lose access to RSS feeds, rendering the FreshRSS instance unusable until manually restored or patched.

🟠

Likely Case

Partial or intermittent feed access issues affecting multiple users, requiring administrator intervention to restore normal functionality.

🟢

If Mitigated

Minimal impact with proper proxy filtering and rate limiting in place, potentially causing temporary feed access issues for some users.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires ability to manipulate proxy responses returning 429 Retry-After headers for multiple feeds.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.28.0

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78

Restart Required: No

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS version 1.28.0 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable proxy functionality

all

Temporarily disable proxy usage for feed fetching if not required

Edit FreshRSS configuration to remove or comment out proxy settings

Implement proxy filtering

all

Configure network proxy to filter or block 429 Retry-After responses

Configure proxy server to intercept and modify 429 responses

🧯 If You Can't Patch

  • Implement network-level rate limiting and filtering for 429 responses
  • Monitor proxy logs for unusual 429 Retry-After patterns and block offending IPs

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in admin interface or by examining version files in installation directory

Check Version:

Check FreshRSS admin panel or grep for version in installation files

Verify Fix Applied:

Confirm version is 1.28.0 or later and test feed fetching through proxy

📡 Detection & Monitoring

Log Indicators:

  • Multiple 429 Retry-After responses from proxy for different feeds
  • Unusual increase in feed fetch failures

Network Indicators:

  • Suspicious proxy traffic patterns
  • Multiple HTTP 429 responses from single source

SIEM Query:

proxy_response_code=429 AND destination_port=80 OR destination_port=443 AND count>threshold

📊 Metadata

CVE ID: CVE-2025-68148
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-770
EPSS Score: 0.05% exploit probability (14.5th percentile)
Published: December 27, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68148, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)