Nixpkgs security tracker

Untriaged

Permalink CVE-2025-68402

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8061 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/pull/8320 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95 x_refsource_MISC

Affected products

FreshRSS

==< 476e57b04646416e24e24c56133c9fadf9e52b95

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1
nixos-25.11 1.27.1
- nixos-25.11-small 1.27.1
- nixpkgs-25.11-darwin 1.27.1

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version.

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22
nixos-25.11 2023-12-22
- nixos-25.11-small 2023-12-22
- nixpkgs-25.11-darwin 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries.

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27