Plattform
php
Komponente
freshrss
Behoben in
1.27.2
CVE-2025-59949 describes a cross-site request forgery (CSRF) vulnerability affecting FreshRSS versions up to 1.27.0. This flaw allows an attacker to potentially trigger denial-of-service conditions by exploiting the application's logout functionality. The vulnerability is addressed in version 1.27.1, and users are strongly encouraged to upgrade to mitigate the risk.
The primary impact of this CSRF vulnerability lies in the potential for denial-of-service (DoS). An attacker could craft malicious requests, embedded within a website or email, that, when clicked by an authenticated FreshRSS user, would trigger the user's logout. Repeated or automated exploitation could effectively lock out legitimate users from accessing their RSS feeds. While data exfiltration isn't a direct consequence, a successful DoS attack could disrupt service and impact user productivity. The blast radius is limited to users of FreshRSS, but the self-hosted nature of the application means that individual instances are potentially vulnerable.
CVE-2025-59949 was publicly disclosed on December 18, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this date. Given the nature of CSRF vulnerabilities and the public disclosure, it is reasonable to anticipate that exploits may emerge in the future.
Users of FreshRSS who are running versions 1.27.0 or earlier are at risk. This includes individuals and organizations self-hosting FreshRSS instances, particularly those with limited security expertise or those who haven't implemented robust security practices such as CSP.
• php / server:
find /var/www/html/freshrss -type f -name '*.php' -print0 | xargs -0 grep -i '<track src='• generic web:
curl -I https://your-freshrss-instance.com/ | grep -i 'content-security-policy'disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2025-59949 is to upgrade FreshRSS to version 1.27.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime constraints, consider implementing a Content Security Policy (CSP) to restrict the sources from which FreshRSS can load resources. While not a complete fix, this can reduce the attack surface. Additionally, educate users about the risks of clicking suspicious links and entering credentials on untrusted websites. After upgrading, confirm the fix by attempting a logout via a crafted CSRF request and verifying that it does not succeed.
Aktualisieren Sie FreshRSS auf Version 1.27.1 oder höher. Diese Version behebt die CSRF-Schwachstelle, die Denial of Service (DoS)-Angriffe ermöglicht. Das Update kann über die FreshRSS-Admin-Oberfläche durchgeführt oder die neueste Version der Software heruntergeladen und die vorhandenen Dateien ersetzt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59949 is a cross-site request forgery (CSRF) vulnerability in FreshRSS versions up to 1.27.0, allowing attackers to potentially trigger denial-of-service conditions.
Yes, if you are running FreshRSS version 1.27.0 or earlier, you are affected by this vulnerability.
Upgrade FreshRSS to version 1.27.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as an interim measure.
As of December 18, 2025, there are no known active exploits, but the vulnerability is publicly disclosed and exploitation is possible.
Refer to the FreshRSS project's official website or GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.