CVE-2025-54592
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-03

Assigner: GitHub, Inc.

Description
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-03
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54592
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freshrss freshrss to 1.27.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Upgrade FreshRSS to version 1.27.0 or later, as this version fixes the session termination issue. Until the upgrade is applied, avoid using the affected versions (1.26.3 and below) in environments where session hijacking risks are critical.

Executive Summary

This vulnerability occurs in FreshRSS versions 1.26.3 and below, where the application does not properly terminate the user session during logout. Specifically, the session cookie remains active and unchanged after logout, which means an attacker could reuse this cookie if a new session is started. This failure to invalidate the session can lead to session hijacking and fixation attacks.

Impact Analysis

The vulnerability can allow an attacker to hijack or fixate a user's session by reusing the session cookie that should have been invalidated at logout. This can lead to unauthorized access to the user's account and potentially sensitive information or actions within the FreshRSS application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart