CVE-2025-31134
Published: 04 June 2025
Summary
CVE-2025-31134 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Freshrss Freshrss. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16907
Vulnerability details
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if…
more
certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.