CVE-2025-59949

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59949

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59949.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59949

Aliases

GHSA-w7f5-8vf9-f966

Published

2025-12-18T18:31:54.524Z

Modified

2026-01-01T06:38:22.303756Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

FreshRSS has Logout CSRF that Leads to DoS via <track src>

Details

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-352"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59949.json"
}

References

Affected packages

Git / github.com/freshrss/freshrss

Affected ranges

Type: GIT
Repo: https://github.com/freshrss/freshrss
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3f9b7b333102fed5803d06b2366250860a9314c5

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.8.0

0.8.1

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

1.*

1.0.0

1.1.0

1.1.1

1.1.2-beta

1.1.3-beta

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.13.0

1.13.1

1.14.0

1.14.1

1.14.2

1.14.3

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.17.0

1.18.0

1.18.1

1.19.0

1.19.1

1.19.2

1.2.0

1.20.0

1.20.1

1.20.2

1.21.0

1.22.0

1.22.1

1.23.0

1.23.1

1.24.0

1.24.1

1.24.2

1.24.3

1.25.0

1.26.0

1.26.1

1.26.2

1.26.3

1.27.0

1.3.0-beta

1.3.1-beta

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.8.0

1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59949.json"