Platform
php
Component
freshrss
Opgelost in
1.27.2
CVE-2025-59949 describes a cross-site request forgery (CSRF) vulnerability affecting FreshRSS versions up to 1.27.0. This flaw allows an attacker to potentially trigger denial-of-service conditions by exploiting the application's logout functionality. The vulnerability is addressed in version 1.27.1, and users are strongly encouraged to upgrade to mitigate the risk.
The primary impact of this CSRF vulnerability lies in the potential for denial-of-service (DoS). An attacker could craft malicious requests, embedded within a website or email, that, when clicked by an authenticated FreshRSS user, would trigger the user's logout. Repeated or automated exploitation could effectively lock out legitimate users from accessing their RSS feeds. While data exfiltration isn't a direct consequence, a successful DoS attack could disrupt service and impact user productivity. The blast radius is limited to users of FreshRSS, but the self-hosted nature of the application means that individual instances are potentially vulnerable.
CVE-2025-59949 was publicly disclosed on December 18, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this date. Given the nature of CSRF vulnerabilities and the public disclosure, it is reasonable to anticipate that exploits may emerge in the future.
Users of FreshRSS who are running versions 1.27.0 or earlier are at risk. This includes individuals and organizations self-hosting FreshRSS instances, particularly those with limited security expertise or those who haven't implemented robust security practices such as CSP.
• php / server:
find /var/www/html/freshrss -type f -name '*.php' -print0 | xargs -0 grep -i '<track src='• generic web:
curl -I https://your-freshrss-instance.com/ | grep -i 'content-security-policy'disclosure
Exploit Status
EPSS
0.03% (7% percentiel)
CISA SSVC
CVSS-vector
The definitive mitigation for CVE-2025-59949 is to upgrade FreshRSS to version 1.27.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime constraints, consider implementing a Content Security Policy (CSP) to restrict the sources from which FreshRSS can load resources. While not a complete fix, this can reduce the attack surface. Additionally, educate users about the risks of clicking suspicious links and entering credentials on untrusted websites. After upgrading, confirm the fix by attempting a logout via a crafted CSRF request and verifying that it does not succeed.
Werk FreshRSS bij naar versie 1.27.1 of hoger. Deze versie corrigeert de CSRF kwetsbaarheid die denial of service aanvallen mogelijk maakt. De update kan worden uitgevoerd via de beheerinterface van FreshRSS of door de nieuwste versie van de software te downloaden en de bestaande bestanden te vervangen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-59949 is a cross-site request forgery (CSRF) vulnerability in FreshRSS versions up to 1.27.0, allowing attackers to potentially trigger denial-of-service conditions.
Yes, if you are running FreshRSS version 1.27.0 or earlier, you are affected by this vulnerability.
Upgrade FreshRSS to version 1.27.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as an interim measure.
As of December 18, 2025, there are no known active exploits, but the vulnerability is publicly disclosed and exploitation is possible.
Refer to the FreshRSS project's official website or GitHub repository for the latest security advisories and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.