CVE-2025-62166

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-62166
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62166.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-62166
Aliases
  • GHSA-w743-fg6g-mhwh
Published
2026-03-09T19:35:37.043Z
Modified
2026-04-10T05:32:52.430631Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens
Details

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Database specific 
{
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62166.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/freshrss/freshrss

Affected ranges

Type
GIT
Repo
https://github.com/freshrss/freshrss
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fdd82820f16733b6e07def5b590fd94879e5a520

Affected versions

0.*
0.1.0
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
0.8.0
0.8.1
1.*
1.0.0
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.13.0
1.13.1
1.14.0
1.14.1
1.14.2
1.14.3
1.15.0
1.15.1
1.15.2
1.16.0
1.16.1
1.16.2
1.17.0
1.18.0
1.18.1
1.19.0
1.19.1
1.19.2
1.2.0
1.20.0
1.20.1
1.21.0
1.22.0
1.22.1
1.23.0
1.23.1
1.24.0
1.24.1
1.24.2
1.24.3
1.25.0
1.26.0
1.26.1
1.26.2
1.26.3
1.27.0
1.27.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.8.0
1.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62166.json"