Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2025-68932
Critical
Low
Medium
High
Critical
9.8
CVSS Score
Published: Dec 27, 2025
Last Modified: Dec 31, 2025
Vulnerability Description
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
81 configuration(s) from 1 vendor(s)
freshrss
Version:
1.8.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.8.0:*:*:*:*:*:*:*
freshrss
Version:
1.3.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.3.1:beta:*:*:*:*:*:*
freshrss
Version:
1.2.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.2.0:*:*:*:*:*:*:*
freshrss
Version:
1.26.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.26.0:*:*:*:*:*:*:*
freshrss
Version:
1.24.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.24.2:*:*:*:*:*:*:*
freshrss
Version:
1.25.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.25.0:*:*:*:*:*:*:*
freshrss
Version:
1.23.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.23.0:*:*:*:*:*:*:*
freshrss
Version:
1.19.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.19.2:*:*:*:*:*:*:*
freshrss
Version:
1.0.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.0.0:*:*:*:*:*:*:*
freshrss
Version:
1.22.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.22.0:*:*:*:*:*:*:*
freshrss
Version:
1.23.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.23.1:*:*:*:*:*:*:*
freshrss
Version:
0.3.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.3.0:*:*:*:*:*:*:*
freshrss
Version:
1.1.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.1.1:*:*:*:*:*:*:*
freshrss
Version:
1.24.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.24.1:*:*:*:*:*:*:*
freshrss
Version:
1.1.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.1.2:beta:*:*:*:*:*:*
freshrss
Version:
1.15.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.15.3:*:*:*:*:*:*:*
freshrss
Version:
1.24.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.24.3:*:*:*:*:*:*:*
freshrss
Version:
1.15.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.15.2:*:*:*:*:*:*:*
freshrss
Version:
1.14.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.14.0:*:*:*:*:*:*:*
freshrss
Version:
1.14.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.14.1:*:*:*:*:*:*:*
freshrss
Version:
1.7.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.7.0:*:*:*:*:*:*:*
freshrss
Version:
1.1.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.1.3:beta:*:*:*:*:*:*
freshrss
Version:
1.20.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.20.0:*:*:*:*:*:*:*
freshrss
Version:
1.3.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.3.0:beta:*:*:*:*:*:*
freshrss
Version:
1.26.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.26.2:*:*:*:*:*:*:*
freshrss
Version:
0.6.1
CPE:
cpe:2.3:a:freshrss:freshrss:0.6.1:*:*:*:*:*:*:*
freshrss
Version:
1.26.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.26.3:*:*:*:*:*:*:*
freshrss
Version:
1.3.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.3.2:beta:*:*:*:*:*:*
freshrss
Version:
0.7.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.7.0:*:*:*:*:*:*:*
freshrss
Version:
0.9.4
CPE:
cpe:2.3:a:freshrss:freshrss:0.9.4:*:*:*:*:*:*:*
freshrss
Version:
1.20.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.20.2:*:*:*:*:*:*:*
freshrss
Version:
1.18.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.18.1:*:*:*:*:*:*:*
freshrss
Version:
1.19.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.19.0:*:*:*:*:*:*:*
freshrss
Version:
1.16.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.16.1:*:*:*:*:*:*:*
freshrss
Version:
1.17.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.17.0:*:*:*:*:*:*:*
freshrss
Version:
0.9.2
CPE:
cpe:2.3:a:freshrss:freshrss:0.9.2:*:*:*:*:*:*:*
freshrss
Version:
1.15.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.15.1:*:*:*:*:*:*:*
freshrss
Version:
0.4.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.4.0:*:*:*:*:*:*:*
freshrss
Version:
1.13.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.13.1:*:*:*:*:*:*:*
freshrss
Version:
1.6.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.6.1:*:*:*:*:*:*:*
freshrss
Version:
1.10.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.10.2:*:*:*:*:*:*:*
freshrss
Version:
1.21.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.21.0:*:*:*:*:*:*:*
freshrss
Version:
1.10.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.10.0:*:*:*:*:*:*:*
freshrss
Version:
1.18.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.18.0:*:*:*:*:*:*:*
freshrss
Version:
0.9.3
CPE:
cpe:2.3:a:freshrss:freshrss:0.9.3:*:*:*:*:*:*:*
freshrss
Version:
1.11.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.11.0:*:*:*:*:*:*:*
freshrss
Version:
1.5.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.5.0:*:*:*:*:*:*:*
freshrss
Version:
0.7.2
CPE:
cpe:2.3:a:freshrss:freshrss:0.7.2:*:*:*:*:*:*:*
freshrss
Version:
0.9.1
CPE:
cpe:2.3:a:freshrss:freshrss:0.9.1:*:*:*:*:*:*:*
freshrss
Version:
1.27.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.27.0:*:*:*:*:*:*:*
freshrss
Version:
0.7.3
CPE:
cpe:2.3:a:freshrss:freshrss:0.7.3:*:*:*:*:*:*:*
freshrss
Version:
1.9.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.9.0:*:*:*:*:*:*:*
freshrss
Version:
1.10.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.10.1:*:*:*:*:*:*:*
freshrss
Version:
1.6.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.6.0:*:*:*:*:*:*:*
freshrss
Version:
0.9.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.9.0:*:*:*:*:*:*:*
freshrss
Version:
1.1.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.1.0:*:*:*:*:*:*:*
freshrss
Version:
1.6.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.6.3:*:*:*:*:*:*:*
freshrss
Version:
1.22.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.22.1:*:*:*:*:*:*:*
freshrss
Version:
0.7.1
CPE:
cpe:2.3:a:freshrss:freshrss:0.7.1:*:*:*:*:*:*:*
freshrss
Version:
1.6.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.6.2:*:*:*:*:*:*:*
freshrss
Version:
1.26.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.26.1:*:*:*:*:*:*:*
freshrss
Version:
0.5.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.5.0:*:*:*:*:*:*:*
freshrss
Version:
1.16.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.16.2:*:*:*:*:*:*:*
freshrss
Version:
1.4.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.4.0:*:*:*:*:*:*:*
freshrss
Version:
0.2.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.2.0:*:*:*:*:*:*:*
freshrss
Version:
1.14.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.14.2:*:*:*:*:*:*:*
freshrss
Version:
1.11.2
CPE:
cpe:2.3:a:freshrss:freshrss:1.11.2:*:*:*:*:*:*:*
freshrss
Version:
1.11.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.11.1:*:*:*:*:*:*:*
freshrss
Version:
1.13.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.13.0:*:*:*:*:*:*:*
freshrss
Version:
1.20.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.20.1:*:*:*:*:*:*:*
freshrss
Version:
1.19.1
CPE:
cpe:2.3:a:freshrss:freshrss:1.19.1:*:*:*:*:*:*:*
freshrss
Version:
1.24.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.24.0:*:*:*:*:*:*:*
freshrss
Version:
0.8.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.8.0:*:*:*:*:*:*:*
freshrss
Version:
1.12.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.12.0:*:*:*:*:*:*:*
freshrss
Version:
1.16.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.16.0:*:*:*:*:*:*:*
freshrss
Version:
0.1.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.1.0:*:*:*:*:*:*:*
freshrss
Version:
0.7.4
CPE:
cpe:2.3:a:freshrss:freshrss:0.7.4:*:*:*:*:*:*:*
freshrss
Version:
0.8.1
CPE:
cpe:2.3:a:freshrss:freshrss:0.8.1:*:*:*:*:*:*:*
freshrss
Version:
1.15.0
CPE:
cpe:2.3:a:freshrss:freshrss:1.15.0:*:*:*:*:*:*:*
freshrss
Version:
0.6.0
CPE:
cpe:2.3:a:freshrss:freshrss:0.6.0:*:*:*:*:*:*:*
freshrss
Version:
1.14.3
CPE:
cpe:2.3:a:freshrss:freshrss:1.14.3:*:*:*:*:*:*:*
This vulnerability affects 81 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8eff5772security-advisories@github.com Patch
-
https://github.com/FreshRSS/FreshRSS/pull/8061security-advisories@github.com Issue Tracking Patch
-
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786security-advisories@github.com Exploit Patch Vendor Advisory
-
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit Patch Vendor Advisory
Severity Details
9.8
out of 10.0
Critical
Key Information
- Published Date
- December 27, 2025
