Platform
php
Component
freshrss
Opgelost in
1.26.3
CVE-2025-46341 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FreshRSS, a self-hosted RSS feed aggregator. This flaw allows attackers to potentially gain unauthorized access to internal services by impersonating users through HTTP headers. The vulnerability affects versions of FreshRSS prior to 1.26.2, and a fix is available in version 1.26.2.
The SSRF vulnerability in FreshRSS allows an attacker to craft malicious requests that the application will then forward to internal or external resources. Specifically, when FreshRSS is behind a reverse proxy using HTTP authentication, an attacker can leverage the Remote-User or X-WebAuth-User headers to impersonate any user. Successful exploitation requires the attacker to know the IP address of the proxied FreshRSS instance and the administrator's username, along with having an account on the instance. This could lead to unauthorized access to sensitive internal services and data, potentially compromising the entire system. The impact is amplified if the internal services accessed contain sensitive information or provide administrative functionality.
CVE-2025-46341 was publicly disclosed on June 4, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations using FreshRSS behind a reverse proxy with HTTP authentication are at risk. This includes users of shared hosting environments where FreshRSS is deployed, as well as those with legacy configurations that do not properly validate HTTP headers.
• linux / server: Monitor access logs for requests containing suspicious Remote-User or X-WebAuth-User headers, particularly those originating from external sources.
grep -i 'Remote-User|X-WebAuth-User' /var/log/nginx/access.log | grep -v '127.0.0.1'• generic web: Use curl to test the 'add feed' endpoint with a URL pointing to an internal service. Check the response headers for unexpected behavior.
curl -I 'http://your-freshrss-instance/add_feed?url=http://internal-service/'disclosure
Exploit Status
EPSS
0.11% (29% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-46341 is to upgrade FreshRSS to version 1.26.2 or later. If upgrading immediately is not feasible, consider implementing stricter HTTP header validation on the reverse proxy to prevent the injection of malicious Remote-User or X-WebAuth-User headers. Additionally, review and restrict access to internal services to minimize the potential impact of a successful SSRF attack. After upgrading, verify the fix by attempting to add a feed with a crafted URL designed to trigger the SSRF vulnerability; the request should be rejected.
Actualice FreshRSS a la versión 1.26.2 o superior. Esta versión contiene una corrección para la vulnerabilidad de escalada de privilegios. La actualización se puede realizar a través de la interfaz de administración de FreshRSS o descargando la última versión del software y reemplazando los archivos existentes.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-46341 is a Server-Side Request Forgery vulnerability in FreshRSS versions prior to 1.26.2, allowing attackers to impersonate users and access internal services.
You are affected if you are running FreshRSS version 1.26.2 or earlier and your instance is behind a reverse proxy using HTTP authentication.
Upgrade FreshRSS to version 1.26.2 or later. As a temporary workaround, implement stricter HTTP header validation on your reverse proxy.
There is no confirmed active exploitation of CVE-2025-46341 at this time, but it is important to apply the patch as soon as possible.
Refer to the FreshRSS security advisories on their official website or GitHub repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.