CVE-2025-62166
Published: 09 March 2026
Summary
CVE-2025-62166 is a high-severity Improper Access Control (CWE-284) vulnerability in Freshrss Freshrss. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks.
Enforcing approved authorizations directly implements access control policies to block unauthorized access.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web app via auth bypass for unauthorized data access.
NVD Description
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds…
more
of other users should be private. This vulnerability is fixed in 1.28.0.
Deeper analysisAI
CVE-2025-62166 is a vulnerability in FreshRSS, a free, self-hostable RSS aggregator, affecting versions prior to 1.28.0. The issue stems from a bug in the authentication logic related to master authentication tokens, which allows bypassing restrictions on feed visibility. Normally, when anonymous viewing is enabled, only the default user's feeds are accessible, while feeds belonging to other users remain private. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed master token handling, they can view private feeds of non-default users, resulting in high confidentiality impact without affecting integrity or availability.
The vulnerability was fixed in FreshRSS version 1.28.0, as detailed in the project's GitHub security advisory (GHSA-w743-fg6g-mhwh), the corresponding pull request (#8165), and the release notes. Security practitioners should upgrade to 1.28.0 or later and review configurations for anonymous viewing to mitigate exposure. The patching commit is available at https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24.
Details
- CWE(s)