Platform
php
Component
freshrss
Fixed in
1.26.3
CVE-2025-46341 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FreshRSS, a self-hosted RSS feed aggregator. This flaw allows attackers to potentially gain unauthorized access to internal services by impersonating users through HTTP headers. The vulnerability affects versions of FreshRSS prior to 1.26.2, and a fix is available in version 1.26.2.
The SSRF vulnerability in FreshRSS allows an attacker to craft malicious requests that the application will then forward to internal or external resources. Specifically, when FreshRSS is behind a reverse proxy using HTTP authentication, an attacker can leverage the Remote-User or X-WebAuth-User headers to impersonate any user. Successful exploitation requires the attacker to know the IP address of the proxied FreshRSS instance and the administrator's username, along with having an account on the instance. This could lead to unauthorized access to sensitive internal services and data, potentially compromising the entire system. The impact is amplified if the internal services accessed contain sensitive information or provide administrative functionality.
CVE-2025-46341 was publicly disclosed on June 4, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46341 is to upgrade FreshRSS to version 1.26.2 or later. If upgrading immediately is not feasible, consider implementing stricter HTTP header validation on the reverse proxy to prevent the injection of malicious Remote-User or X-WebAuth-User headers. Additionally, review and restrict access to internal services to minimize the potential impact of a successful SSRF attack. After upgrading, verify the fix by attempting to add a feed with a crafted URL designed to trigger the SSRF vulnerability; the request should be rejected.
Update FreshRSS to version 1.26.2 or higher. This version contains a patch for the privilege escalation vulnerability. The update can be performed through the FreshRSS administration interface or by downloading the latest version of the software and replacing the existing files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46341 is a Server-Side Request Forgery vulnerability in FreshRSS versions prior to 1.26.2, allowing attackers to impersonate users and access internal services.
You are affected if you are running FreshRSS version 1.26.2 or earlier and your instance is behind a reverse proxy using HTTP authentication.
Upgrade FreshRSS to version 1.26.2 or later. As a temporary workaround, implement stricter HTTP header validation on your reverse proxy.
There is no confirmed active exploitation of CVE-2025-46341 at this time, but it is important to apply the patch as soon as possible.
Refer to the FreshRSS security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.