CVE-2025-58173

Summary

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed curl_params inside the feed table. Version 1.27.1 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
FreshRSSFreshRSS>= 1.23.0, < 1.27.1affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References