CVE-2025-58173
Unknown Unknown - Not Provided
Path Traversal in FreshRSS Allows Admin Access, Remote Code Execution

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58173
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
freshrss freshrss 1.26.0
freshrss freshrss 1.23.0
freshrss freshrss 1.27.0
freshrss freshrss 1.25.0
freshrss freshrss 1.24.0
freshrss freshrss 1.27.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58173 is a critical vulnerability in FreshRSS versions 1.23.0 through 1.27.0 that allows an authenticated attacker to perform a path traversal attack via the `language` user configuration parameter. By setting this parameter to a path like `../`, the attacker can cause the application to include and execute arbitrary PHP files such as `install.php`. This enables the attacker to perform administrative actions despite having unprivileged access, including logging in as the admin, creating new admin users, and changing the database connection to an attacker-controlled MySQL server. The attacker can then inject malicious `curl_params` into the feed configuration to execute arbitrary PHP code on the server, potentially establishing a reverse shell and gaining full control over the FreshRSS instance. The vulnerability exploits improper validation of the language parameter, unsafe inclusion of PHP files, and weaknesses in session and CSRF token validation. [2, 3, 7]

Impact Analysis

This vulnerability can have severe impacts including: full administrative control over the FreshRSS application, arbitrary code execution on the server hosting FreshRSS, creation of persistent backdoors by overwriting configuration files, and potential compromise of the entire server environment. An attacker can escalate privileges from an unprivileged user to admin, manipulate database connections to attacker-controlled servers, and execute malicious PHP code through the feed fetching mechanism. This can lead to data theft, service disruption, and further exploitation of the hosting infrastructure. [2]

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized use of the `language` parameter with path traversal patterns (e.g., `../`) in HTTP requests to FreshRSS, especially during login attempts. Additionally, detecting POST requests that attempt to invoke `install.php` or modify administrative settings without proper authorization can indicate exploitation attempts. Network monitoring for connections to unusual MySQL servers (ports 3306, 9001, 9002) from the FreshRSS host may also help detect malicious activity. Specific commands could include: 1. Using web server logs or tools like `grep` to find requests with suspicious language parameters: `grep -r 'language=..' /var/log/nginx/access.log` 2. Monitoring for POST requests to `install.php`: `grep -r 'POST /install.php' /var/log/nginx/access.log` 3. Using network tools like `netstat` or `ss` to check for unexpected outbound connections on MySQL and reverse shell ports: `netstat -tnp | grep -E '3306|9001|9002'` or `ss -tnp | grep -E '3306|9001|9002'` 4. Checking FreshRSS database feed table for suspicious `curl_params` entries if database access is available. These detection methods focus on identifying exploitation attempts by recognizing the path traversal usage, unauthorized admin actions, and malicious database redirection attempts. [2]

Mitigation Strategies

Immediate mitigation steps include: 1. Upgrade FreshRSS to version 1.27.1 or later, where the vulnerability is fully patched. 2. Restrict and sanitize the `language` user configuration parameter to prevent path traversal, ensuring only valid languages are accepted. 3. Harden session and CSRF token validation to prevent unauthorized access to `install.php` functionality. 4. Limit and validate allowed cURL parameters to prevent malicious options from being used in feed fetching. 5. Ensure that `install.php` cannot be executed improperly by verifying session initialization before running the script. 6. Restrict network access to the FreshRSS server, especially blocking unauthorized outbound connections to external MySQL servers or reverse shell listeners on ports 3306, 9001, and 9002. These steps collectively prevent exploitation by closing the path traversal vector, securing authentication flows, and limiting the ability to inject malicious code via database or feed configurations. [2, 3, 4, 5, 7]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart