CVE-2025-58173

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-58173

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58173.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-58173

Aliases

GHSA-6c8h-w3j5-j293

Published

2025-12-15T23:07:25.225Z

Modified

2026-03-14T12:44:08.032315Z

Severity

7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

FreshRSS vulnerable to authenticated RCE via path traversal inside include()

Details

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed curl_params inside the feed table. Version 1.27.1 fixes the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58173.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/freshrss/freshrss

Affected ranges

Type: GIT
Repo: https://github.com/freshrss/freshrss
Events: Introduced

a67c11c52d91d5ab0c4ef02774771db55361700d

Fixed

3f9b7b333102fed5803d06b2366250860a9314c5

Affected versions

1.*

1.23.0

1.23.1

1.24.0

1.24.1

1.24.2

1.24.3

1.25.0

1.26.0

1.26.1

1.26.2

1.26.3

1.27.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58173.json"