Nixpkgs security tracker

Untriaged

Permalink CVE-2025-62166

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8165 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0 x_refsource_MISC

Affected products

FreshRSS

==< 1.28.0

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1
nixos-25.11 1.27.1
- nixos-25.11-small 1.27.1
- nixpkgs-25.11-darwin 1.27.1

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version.

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22
nixos-25.11 2023-12-22
- nixos-25.11-small 2023-12-22
- nixpkgs-25.11-darwin 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries.

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27