Suggestions search

All statuses

Filter by:

With package: freshrss

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2025-62166

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8165 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0 x_refsource_MISC

Affected products

FreshRSS

==< 1.28.0

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1
nixos-25.11 1.27.1
- nixos-25.11-small 1.27.1
- nixpkgs-25.11-darwin 1.27.1

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version.

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22
nixos-25.11 2023-12-22
- nixos-25.11-small 2023-12-22
- nixpkgs-25.11-darwin 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries.

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.reading-time

FreshRSS extension adding a reading time estimation next to each article.

nixos-unstable 1.5
- nixpkgs-unstable 1.5
- nixos-unstable-small 1.5
nixos-25.11 1.5
- nixos-25.11-small 1.5
- nixpkgs-25.11-darwin 1.5

pkgs.freshrss-extensions.reddit-image

FreshRSS extension to process Reddit feeds.

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.freshrss-extensions.unsafe-auto-login

FreshRSS extension to bring back unsafe autologin functionality.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

Package maintainers

@Stunkymonkey Felix Bühler <account@buehler.rocks>
@etu Elis Hirwing <elis@hirwing.se>

Untriaged

Permalink CVE-2025-68402

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8061 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/pull/8320 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95 x_refsource_MISC

Affected products

FreshRSS

==< 476e57b04646416e24e24c56133c9fadf9e52b95

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1
nixos-25.11 1.27.1
- nixos-25.11-small 1.27.1
- nixpkgs-25.11-darwin 1.27.1

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version.

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22
nixos-25.11 2023-12-22
- nixos-25.11-small 2023-12-22
- nixpkgs-25.11-darwin 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries.

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26
nixos-25.11 2024-04-27
- nixos-25.11-small 2024-04-27
- nixpkgs-25.11-darwin 2024-04-27

pkgs.freshrss-extensions.reading-time

FreshRSS extension adding a reading time estimation next to each article.

nixos-unstable 1.5
- nixpkgs-unstable 1.5
- nixos-unstable-small 1.5
nixos-25.11 1.5
- nixos-25.11-small 1.5
- nixpkgs-25.11-darwin 1.5

pkgs.freshrss-extensions.reddit-image

FreshRSS extension to process Reddit feeds.

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.freshrss-extensions.unsafe-auto-login

FreshRSS extension to bring back unsafe autologin functionality.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

Package maintainers

@Stunkymonkey Felix Bühler <account@buehler.rocks>
@etu Elis Hirwing <elis@hirwing.se>