CVE-2025-31482

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*

History

12 Aug 2025, 15:21

Type	Values Removed	Values Added
References	~~() https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp -~~	() https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp - Exploit, Vendor Advisory
CPE		cpe:2.3:a:freshrss:freshrss::::::::
First Time		Freshrss freshrss Freshrss

05 Jun 2025, 20:12

Type	Values Removed	Values Added
Summary		(es) FreshRSS es un agregador de feeds RSS autoalojado. Una vulnerabilidad en versiones anteriores a la 1.26.2 provoca que se cierre repetidamente la sesión del usuario tras obtener una entrada maliciosa, lo que provoca una denegación de servicio. La versión 1.26.2 incluye un parche para este problema.

04 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-04 20:15

Updated : 2025-08-12 15:21

NVD link : CVE-2025-31482

Mitre link : CVE-2025-31482

CVE.ORG link : CVE-2025-31482

JSON object : View

Products Affected

freshrss

freshrss

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

4.3 /10