Vulnerability Description
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freshrss | Freshrss | < 1.26.2 |
Related Weaknesses (CWE)
References
- https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fcPatch
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65ExploitVendor Advisory
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65ExploitVendor Advisory
FAQ
What is CVE-2025-31134?
CVE-2025-31134 is a vulnerability with a CVSS score of 7.5 (HIGH). FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for exam...
How severe is CVE-2025-31134?
CVE-2025-31134 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-31134?
Check the references section above for vendor advisories and patch information. Affected products include: Freshrss Freshrss.