CVE-2025-68148
Unknown Unknown - Not Provided
HTTP 429 Denial of Service in FreshRSS Feed Proxy

Publication date: 2025-12-27

Last updated on: 2025-12-27

Assigner: GitHub, Inc.

Description
FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freshrss freshrss 1.27.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in FreshRSS versions 1.27.0 to before 1.28.0 allows an attacker to cause a global denial of access to feeds by modifying proxy responses to return a 429 Retry-After status for a large list of feeds on the instance, making the service unusable for most users. It has been fixed in version 1.28.0.

Impact Analysis

The vulnerability can impact you by making the FreshRSS service unusable for the majority of users due to a global denial of access to feeds, which disrupts normal access and availability of RSS feeds.

Mitigation Strategies

Upgrade FreshRSS to version 1.28.0 or later, as this version contains the patch that fixes the vulnerability allowing attackers to cause a denial of service by modifying responses to 429 Retry-After status codes.

Compliance Impact

The vulnerability impacts availability by allowing denial of service to RSS feeds but does not affect confidentiality or integrity of data. There is no information indicating that this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP responses from FreshRSS feed requests for unusual 429 Too Many Requests status codes accompanied by Retry-After headers with large values (e.g., Retry-After: 10000). To detect exploitation attempts or presence of malicious proxies, you can capture and inspect HTTP traffic to identify repeated 429 responses with Retry-After headers affecting multiple feeds. Commands such as using curl to fetch feeds and observe headers, or using network traffic analysis tools like tcpdump or Wireshark to filter HTTP/2 429 responses, can help. For example, you can run: 1) curl -I <feed_url> to check HTTP headers for 429 status and Retry-After header; 2) tcpdump -i <interface> -A 'tcp port 80 or 443' | grep -i 'HTTP/2 429' to capture relevant HTTP responses; 3) Use proxy tools like Burp Suite to intercept and analyze feed responses for manipulated Retry-After headers. These methods help identify if a proxy is injecting false Retry-After headers causing denial of service. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart