CVE-2025-31134

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438	Patch
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65	Exploit Vendor Advisory
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*

History

10 Jun 2025, 15:08

Type	Values Removed	Values Added
First Time		Freshrss freshrss Freshrss
CPE		cpe:2.3:a:freshrss:freshrss::::::::
CWE		NVD-CWE-Other
References	~~() https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438 -~~	() https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438 - Patch
References	~~() https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65 -~~	() https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

05 Jun 2025, 20:12

Type	Values Removed	Values Added
Summary		(es) FreshRSS es un agregador de feeds RSS autoalojado. Antes de la versión 1.26.2, un atacante podía obtener información adicional sobre el servidor comprobando la existencia de ciertos directorios. Por ejemplo, un atacante podía comprobar si había versiones anteriores de PHP instaladas o si había algún software instalado en el servidor y potencialmente usar esa información para atacarlo. La versión 1.26.2 incluye un parche para este problema.

04 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-04 20:15

Updated : 2025-06-10 15:08

NVD link : CVE-2025-31134

Mitre link : CVE-2025-31134

CVE.ORG link : CVE-2025-31134

JSON object : View

Products Affected

freshrss

freshrss

CWE

CWE-201

Insertion of Sensitive Information Into Sent Data

NVD-CWE-Other

7.5 /10