CVE-2025-54592
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | to 1.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade FreshRSS to version 1.27.0 or later, as this version fixes the session termination issue. Until the upgrade is applied, avoid using the affected versions (1.26.3 and below) in environments where session hijacking risks are critical.
Can you explain this vulnerability to me?
This vulnerability occurs in FreshRSS versions 1.26.3 and below, where the application does not properly terminate the user session during logout. Specifically, the session cookie remains active and unchanged after logout, which means an attacker could reuse this cookie if a new session is started. This failure to invalidate the session can lead to session hijacking and fixation attacks.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to hijack or fixate a user's session by reusing the session cookie that should have been invalidated at logout. This can lead to unauthorized access to the user's account and potentially sensitive information or actions within the FreshRSS application.