CVE-2025-58173

Published: Dec 16, 2025Modified: Jan 7, 2026

7.4

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.

Affected (1)

Products: Freshrss: Freshrss

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freshrss Freshrss	From 1.23.0 to 1.27.1

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (8)

https://github.com/FreshRSS/FreshRSS/commit/79604aa4b3051f083d1734bd9e82c6a89d785c5a#diff-49280171b6e7964e21a0270427e56eacb47b8ac562593a01ad4bc74b49f840c7R135

Source: security-advisories@github.com

Patch

https://github.com/FreshRSS/FreshRSS/commit/dbbae15a8458679db0f4540dacdbdcff9c02ec8c#diff-63f610c36d0f2555c1787f6d0804f46f4df6e0f918dfe03408309039abf6efebL85-L88

Source: security-advisories@github.com

Patch

https://github.com/FreshRSS/FreshRSS/commit/ee175dd6169a016fc898fac62d046e22c205dec0#diff-6ebff7743ede829cf5a7f0e4566b42023a2d4779cc8d7e96fefec116f2292174R190-R194

Source: security-advisories@github.com

Patch

https://github.com/FreshRSS/FreshRSS/pull/7878

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/FreshRSS/FreshRSS/pull/7971

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/FreshRSS/FreshRSS/pull/7979

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293

Source: security-advisories@github.com

ExploitPatchVendor Advisory

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchVendor Advisory

Timeline

No history available yet.