CVE-2025-58173
Path Traversal in FreshRSS Allows Admin Access, Remote Code Execution
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | 1.26.0 |
| freshrss | freshrss | 1.23.0 |
| freshrss | freshrss | 1.27.0 |
| freshrss | freshrss | 1.25.0 |
| freshrss | freshrss | 1.24.0 |
| freshrss | freshrss | 1.27.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58173 is a critical vulnerability in FreshRSS versions 1.23.0 through 1.27.0 that allows an authenticated attacker to perform a path traversal attack via the `language` user configuration parameter. By setting this parameter to a path like `../`, the attacker can cause the application to include and execute arbitrary PHP files such as `install.php`. This enables the attacker to perform administrative actions despite having unprivileged access, including logging in as the admin, creating new admin users, and changing the database connection to an attacker-controlled MySQL server. The attacker can then inject malicious `curl_params` into the feed configuration to execute arbitrary PHP code on the server, potentially establishing a reverse shell and gaining full control over the FreshRSS instance. The vulnerability exploits improper validation of the language parameter, unsafe inclusion of PHP files, and weaknesses in session and CSRF token validation. [2, 3, 7]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including: full administrative control over the FreshRSS application, arbitrary code execution on the server hosting FreshRSS, creation of persistent backdoors by overwriting configuration files, and potential compromise of the entire server environment. An attacker can escalate privileges from an unprivileged user to admin, manipulate database connections to attacker-controlled servers, and execute malicious PHP code through the feed fetching mechanism. This can lead to data theft, service disruption, and further exploitation of the hosting infrastructure. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual or unauthorized use of the `language` parameter with path traversal patterns (e.g., `../`) in HTTP requests to FreshRSS, especially during login attempts. Additionally, detecting POST requests that attempt to invoke `install.php` or modify administrative settings without proper authorization can indicate exploitation attempts. Network monitoring for connections to unusual MySQL servers (ports 3306, 9001, 9002) from the FreshRSS host may also help detect malicious activity. Specific commands could include: 1. Using web server logs or tools like `grep` to find requests with suspicious language parameters: `grep -r 'language=..' /var/log/nginx/access.log` 2. Monitoring for POST requests to `install.php`: `grep -r 'POST /install.php' /var/log/nginx/access.log` 3. Using network tools like `netstat` or `ss` to check for unexpected outbound connections on MySQL and reverse shell ports: `netstat -tnp | grep -E '3306|9001|9002'` or `ss -tnp | grep -E '3306|9001|9002'` 4. Checking FreshRSS database feed table for suspicious `curl_params` entries if database access is available. These detection methods focus on identifying exploitation attempts by recognizing the path traversal usage, unauthorized admin actions, and malicious database redirection attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade FreshRSS to version 1.27.1 or later, where the vulnerability is fully patched. 2. Restrict and sanitize the `language` user configuration parameter to prevent path traversal, ensuring only valid languages are accepted. 3. Harden session and CSRF token validation to prevent unauthorized access to `install.php` functionality. 4. Limit and validate allowed cURL parameters to prevent malicious options from being used in feed fetching. 5. Ensure that `install.php` cannot be executed improperly by verifying session initialization before running the script. 6. Restrict network access to the FreshRSS server, especially blocking unauthorized outbound connections to external MySQL servers or reverse shell listeners on ports 3306, 9001, and 9002. These steps collectively prevent exploitation by closing the path traversal vector, securing authentication flows, and limiting the ability to inject malicious code via database or feed configurations. [2, 3, 4, 5, 7]