Activity log
- Created suggestion
FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]
FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.
References
-
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp x_refsource_CONFIRM
-
https://github.com/FreshRSS/FreshRSS/pull/8061 x_refsource_MISC
-
https://github.com/FreshRSS/FreshRSS/pull/8320 x_refsource_MISC
Affected products
- ==< 476e57b04646416e24e24c56133c9fadf9e52b95
Matching in nixpkgs
pkgs.freshrss
FreshRSS is a free, self-hostable RSS aggregator
pkgs.freshrss-extensions.demo
FreshRSS Extension for the demo version.
-
nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22
-
nixos-25.11 2023-12-22
- nixos-25.11-small 2023-12-22
- nixpkgs-25.11-darwin 2023-12-22
pkgs.freshrss-extensions.youtube
FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds.
-
nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
-
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27
pkgs.freshrss-extensions.auto-ttl
FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries.
pkgs.freshrss-extensions.title-wrap
FreshRSS extension instead of truncating the title is wrapped.
-
nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
-
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27
pkgs.freshrss-extensions.reading-time
FreshRSS extension adding a reading time estimation next to each article.
pkgs.freshrss-extensions.reddit-image
FreshRSS extension to process Reddit feeds.
pkgs.freshrss-extensions.unsafe-auto-login
FreshRSS extension to bring back unsafe autologin functionality.
-
nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
Package maintainers
-
@Stunkymonkey Felix Bühler <account@buehler.rocks>
-
@etu Elis Hirwing <elis@hirwing.se>