Login Sign Up

CVE-2025-68932

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in FreshRSS allows attackers to predict authentication tokens due to weak random number generation, enabling account takeover through session hijacking. All FreshRSS instances prior to version 1.28.0 are affected, particularly those with 'keep me logged in' functionality enabled. Self-hosted RSS aggregator users are at risk of unauthorized access to their accounts.

💻 Affected Systems

Products:
  • FreshRSS
Versions: All versions prior to 1.28.0
Operating Systems: All platforms running FreshRSS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists when remember-me functionality is used, which is a common feature for user convenience.

📦 What is this software?

Freshrss by Freshrss

View all CVEs affecting Freshrss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover with persistent unauthorized access, data theft, and potential privilege escalation if admin accounts are compromised.

🟠

Likely Case

Unauthorized access to user accounts leading to data exposure, RSS feed manipulation, and potential lateral movement within the application.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of weak RNG prediction but doesn't require authentication to attempt token prediction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.28.0

Vendor Advisory: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786

Restart Required: Yes

Instructions:

1. Backup your FreshRSS installation and database. 2. Download FreshRSS 1.28.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart your web server. 5. Verify the update by checking the version in the FreshRSS interface.

🔧 Temporary Workarounds

Disable Remember-Me Functionality

all

Temporarily disable the 'keep me logged in' feature to prevent token generation

Edit FreshRSS configuration to disable remember-me tokens

🧯 If You Can't Patch

  • Implement network-level controls to restrict access to FreshRSS instances
  • Enable detailed logging and monitoring for suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check FreshRSS version in the web interface or by examining the installation directory for version files

Check Version:

Check the version displayed in the FreshRSS web interface footer or admin panel

Verify Fix Applied:

Confirm version is 1.28.0 or higher in the FreshRSS interface or via version check files

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts followed by successful login with predicted tokens
  • Unusual login patterns from unexpected locations

Network Indicators:

  • Unusual authentication request patterns to FreshRSS endpoints

SIEM Query:

source="freshrss" AND (event="authentication" OR event="login") | stats count by user, src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2025-68932
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-338
EPSS Score: 0.11% exploit probability (29.4th percentile)
Published: December 27, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68932, you might also want to check these:

CVE-2020-28642 9.8

CVE-2020-28642 is a critical vulnerability in InfiniteWP Admin Panel that allows remote attackers to...

Same vulnerability type (CWE-338)
CVE-2025-59390 9.8

Apache Druid's Kerberos authenticator uses a weak random fallback secret when cookieSignatureSecret ...

Same vulnerability type (CWE-338)
CVE-2026-2439 9.8

CVE-2026-2439 is a session ID generation vulnerability in Concierge::Sessions for Perl that allows a...

Same vulnerability type (CWE-338)