CVE-2025-61586
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-10-03

Assigner: GitHub, Inc.

Description
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-10-03
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freshrss freshrss to 1.27.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61586 is a vulnerability in FreshRSS versions 1.26.3 and below where an attacker can manipulate the 'theme' field to perform directory enumeration. By setting the theme path to arbitrary or non-existent directories, the attacker can infer the existence of certain directories on the server based on how the page loads (e.g., broken CSS indicating a directory exists). This allows attackers to gain additional information about the server, such as installed software or PHP versions, which could aid further attacks. The vulnerability arises because FreshRSS treats directories with a metadata.json file as valid themes without proper validation, leading to UI breakage or CSS injection. It was fixed in version 1.27.0 by validating theme existence and disallowing invalid themes. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to gather sensitive information about your server through directory enumeration, which can be used to plan further attacks. It can also cause UI disruption or breakage in FreshRSS instances by injecting unintended CSS or causing blank pages. Although it is considered low severity, it exposes internal directory structure and may reveal software versions, increasing the risk of exploitation by attackers. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by attempting to manipulate the 'theme' field in FreshRSS display settings to point to specific directories and observing the application's response. For example, using a proxy tool like Burp Suite, you can submit theme changes with paths such as 'data/users/test' and check if the page loads with broken CSS, indicating the directory exists. Conversely, a non-existent directory like 'test2' will not cause broken CSS. There are no specific commands provided, but using an intercepting proxy to modify HTTP requests and observe UI behavior is the suggested method. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade FreshRSS to version 1.27.0 or later, where the issue is fixed. The fix disallows setting themes that do not exist or are invalid by validating theme identifiers and checking for the presence of a metadata.json file before applying themes. Additionally, the 1.27.0 release includes other security enhancements such as reauthentication (sudo mode), improved Content-Security-Policy headers, and stricter access controls. If upgrading immediately is not possible, restrict access to the theme setting functionality and monitor for suspicious theme changes. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart