CVE-2025-32015
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-32015 is a Cross-Site Scripting (XSS) vulnerability in FreshRSS versions prior to 1.26.2. It occurs because HTML inside the <iframe srcdoc> attribute is not properly sanitized, allowing an attacker to embed malicious JavaScript via a <script src> tag. To exploit this, the attacker must have an account on the FreshRSS instance and control one of the victim's RSS feeds. When the victim subscribes to the malicious feed, the attacker's script executes in the victim's browser, potentially stealing sensitive information like CSRF tokens and hijacking the victim's account. [2]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to hijack the victim's FreshRSS account. For regular users, this means unauthorized access to their feeds and data. If the victim is an administrator, the attacker can perform destructive actions such as deleting all users or executing arbitrary code on the server by manipulating update URLs via fetch() calls within the XSS context. This can lead to significant damage including data loss and server compromise. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your FreshRSS instance is running a version prior to 1.26.2, as those versions are vulnerable. Additionally, you can inspect feeds added to the system for the presence of <iframe> elements with a srcdoc attribute containing <script src> tags, which indicate potential malicious payloads. Since the attack requires the victim to add a malicious feed, monitoring feed URLs and their content for suspicious iframe srcdoc usage is recommended. There are no specific commands provided in the resources, but you can use tools like curl or wget to fetch feed URLs and grep or parse the content for <iframe srcdoc> elements with embedded <script src> tags. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreshRSS to version 1.26.2 or later, where the vulnerability is patched by disallowing the use of the srcdoc attribute in <iframe> elements. This patch strips the srcdoc attribute from allowed attributes, preventing the XSS attack vector. As a temporary measure, you can also audit and remove any feeds containing <iframe srcdoc> elements with embedded scripts. Restricting user permissions to prevent untrusted users from adding feeds can also reduce risk. [1, 2]