CVE-2025-68402
- Source
- https://cve.org/CVERecord?id=CVE-2025-68402
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68402.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68402
- Aliases
-
- GHSA-pcq9-mq6m-mvmp
- Published
- 2026-03-09T19:41:57.974Z
- Modified
- 2026-04-10T05:35:06.450175Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]
- Details
-
FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.
- Database specific
{ "cwe_ids": [ "CWE-287" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68402.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68402.json
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp
- https://nvd.nist.gov/vuln/detail/CVE-2025-68402
- https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95
- https://github.com/FreshRSS/FreshRSS/pull/8061
- https://github.com/FreshRSS/FreshRSS/pull/8320
Affected packages
Git / github.com/freshrss/freshrss
Affected ranges
- Type
- GIT
- Repo
- https://github.com/freshrss/freshrss
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.0
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
0.8.0
0.8.1
1.*
1.0.0
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.13.0
1.13.1
1.14.0
1.14.1
1.14.2
1.14.3
1.15.0
1.15.1
1.15.2
1.16.0
1.16.1
1.16.2
1.17.0
1.18.0
1.18.1
1.19.0
1.19.1
1.19.2
1.2.0
1.20.0
1.20.1
1.21.0
1.22.0
1.22.1
1.23.0
1.23.1
1.24.0
1.24.1
1.24.2
1.24.3
1.25.0
1.26.0
1.26.1
1.26.2
1.26.3
1.27.0
1.27.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.8.0
1.9.0