Vulnerability Description
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freshrss | Freshrss | < 1.28.0 |
Related Weaknesses (CWE)
References
- https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8effPatch
- https://github.com/FreshRSS/FreshRSS/pull/8061Issue TrackingPatch
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786ExploitPatchVendor Advisory
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786ExploitPatchVendor Advisory
FAQ
What is CVE-2025-68932?
CVE-2025-68932 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication...
How severe is CVE-2025-68932?
CVE-2025-68932 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-68932?
Check the references section above for vendor advisories and patch information. Affected products include: Freshrss Freshrss.