CVE-2025-54592

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
freshrssfreshrss
𝑥
< 1.27.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/FreshRSS/FreshRSS/pull/7762
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr