CVE-2025-68148

Published: Dec 27, 2025Modified: Dec 31, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

Affected (1)

Products: Freshrss: Freshrss

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freshrss Freshrss	From 1.27.0 to 1.28.0

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (4)

https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3

Source: security-advisories@github.com

Patch

https://github.com/FreshRSS/FreshRSS/pull/8029

Source: security-advisories@github.com

Issue Tracking

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78

Source: security-advisories@github.com

ExploitPatchVendor Advisory

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchVendor Advisory

Timeline

No history available yet.