CVE-2025-68932
Predictable Token Vulnerability in FreshRSS Enables Account Takeover
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freshrss | freshrss | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FreshRSS prior to version 1.28.0 involves the use of weak random number generators (mt_rand() and uniqid()) to create remember-me authentication tokens and challenge-response nonces. Because these tokens are predictable, attackers can guess valid session tokens and hijack user sessions, leading to account takeover. The remember-me tokens allow permanent authentication for the "keep me logged in" feature, making this vulnerability critical for persistent session hijacking.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your FreshRSS installation is running a version prior to 1.28.0, as versions up to 1.27.1 use weak token generation methods involving mt_rand() and uniqid(). To detect exploitation attempts or presence of predictable tokens, you can monitor HTTP requests for the FreshRSS_login cookie and analyze token patterns. A practical approach involves capturing the 'FreshRSS_login' cookie from login requests and comparing tokens against those generated by a script mimicking the vulnerable token generation (using mt_rand() and uniqid()). There is no direct built-in command, but you can use network capture tools like tcpdump or Wireshark to capture HTTP traffic and extract cookies. For example, using tcpdump to capture HTTP traffic on port 80: `tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Cookie: FreshRSS_login'`. Additionally, you can write or use existing PHP scripts that replicate the vulnerable token generation to predict tokens and test authentication attempts. Monitoring token files in `DATA_PATH/tokens/` for unusual access patterns or brute-force attempts may also help detect exploitation. Ultimately, upgrading to FreshRSS 1.28.0 or later is the recommended mitigation. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can predict authentication tokens and hijack user sessions, resulting in unauthorized access to user accounts. This can lead to account takeover, compromising user data and potentially allowing the attacker to perform actions on behalf of the user without their consent.
What immediate steps should I take to mitigate this vulnerability?
Upgrade FreshRSS to version 1.28.0 or later, as this version patches the vulnerability related to weak random number generators used for authentication tokens. Until the upgrade, consider disabling the 'remember me' or 'keep me logged in' functionality to reduce risk.