CVE-2025-61586
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | to 1.27.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61586 is a vulnerability in FreshRSS versions 1.26.3 and below where an attacker can manipulate the 'theme' field to perform directory enumeration. By setting the theme path to arbitrary or non-existent directories, the attacker can infer the existence of certain directories on the server based on how the page loads (e.g., broken CSS indicating a directory exists). This allows attackers to gain additional information about the server, such as installed software or PHP versions, which could aid further attacks. The vulnerability arises because FreshRSS treats directories with a metadata.json file as valid themes without proper validation, leading to UI breakage or CSS injection. It was fixed in version 1.27.0 by validating theme existence and disallowing invalid themes. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to gather sensitive information about your server through directory enumeration, which can be used to plan further attacks. It can also cause UI disruption or breakage in FreshRSS instances by injecting unintended CSS or causing blank pages. Although it is considered low severity, it exposes internal directory structure and may reveal software versions, increasing the risk of exploitation by attackers. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to manipulate the 'theme' field in FreshRSS display settings to point to specific directories and observing the application's response. For example, using a proxy tool like Burp Suite, you can submit theme changes with paths such as 'data/users/test' and check if the page loads with broken CSS, indicating the directory exists. Conversely, a non-existent directory like 'test2' will not cause broken CSS. There are no specific commands provided, but using an intercepting proxy to modify HTTP requests and observe UI behavior is the suggested method. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade FreshRSS to version 1.27.0 or later, where the issue is fixed. The fix disallows setting themes that do not exist or are invalid by validating theme identifiers and checking for the presence of a metadata.json file before applying themes. Additionally, the 1.27.0 release includes other security enhancements such as reauthentication (sudo mode), improved Content-Security-Policy headers, and stricter access controls. If upgrading immediately is not possible, restrict access to the theme setting functionality and monitor for suspicious theme changes. [2, 3]