Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-62166 is a critical authorization bypass vulnerability in FreshRSS, a self-hostable RSS aggregator. The flaw exists in the authentication logic related to master authentication tokens when anonymous viewing of the default user feed is enabled.'}, {'type': 'paragraph', 'content': "Due to improper validation of the 'user' and 'token' parameters in requests, an attacker can specify any username and an arbitrary token value to bypass access controls and view feeds of arbitrary users. The token parameter is not properly validated, allowing unauthorized access without any privileges or user interaction."}, {'type': 'paragraph', 'content': 'Additionally, master authentication tokens can be leaked from the normal view, enabling persistent unauthorized access even after the vulnerability is patched or anonymous viewing is disabled.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows unauthorized disclosure of any user's feed data on FreshRSS instances with anonymous viewing enabled."}, {'type': 'paragraph', 'content': 'Attackers can access sensitive feed information and user settings, potentially including stored credentials.'}, {'type': 'paragraph', 'content': 'Moreover, leakage of master authentication tokens can enable attackers to maintain persistent unauthorized access to user feeds even after patches or configuration changes.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access FreshRSS feeds of arbitrary users using crafted URLs with manipulated user and token parameters when anonymous viewing is enabled.'}, {'type': 'paragraph', 'content': 'Examples of vulnerable endpoints to test include URLs with parameters such as: ?c=index&a=index&user=someuser&token=x or ?c=index&a=normal&user=someuser&token=x.'}, {'type': 'paragraph', 'content': 'If you can retrieve feed data or export feeds of users other than the default anonymous user without proper authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands involve using tools like curl or wget to send HTTP requests to these endpoints, for example:'}, {'type': 'list_item', 'content': 'curl -i "https://your-freshrss-instance/i/?c=index&a=normal&user=someuser&token=x"'}, {'type': 'list_item', 'content': 'curl -i "https://your-freshrss-instance/i/?c=index&a=opml&user=someuser&token=x"'}, {'type': 'paragraph', 'content': 'If the response contains feed data or user-specific information without proper authentication, it indicates the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FreshRSS to version 1.28.0 or later, where the vulnerability has been fixed by improving token validation and removing token exposure for anonymous users.

If upgrading immediately is not possible, consider disabling anonymous viewing of feeds to prevent unauthorized access.

Additionally, review and revoke any leaked master authentication tokens to prevent persistent unauthorized access.

Ensure that tokens are properly validated and not exposed in URLs or HTML source for anonymous users.

Apply security best practices such as restricting access controls and monitoring for suspicious access patterns.

Useful 0 Not Useful 0