CVE-2025-31134: 
NixOS vulnerability analysis and mitigation

FreshRSS, a self-hosted RSS feed aggregator, was found to contain a directory enumeration vulnerability prior to version 1.26.2. The vulnerability was discovered and disclosed on June 3, 2025, and was assigned CVE-2025-31134. The issue affects all versions up to and including 1.26.1 (GitHub Advisory).

The vulnerability exists in the ext.php file handling mechanism where an attacker can gain additional information about the server by checking if certain directories exist. The issue received a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and CVSS v4.0 score of 5.5 MEDIUM. The vulnerability can be exploited remotely without requiring any privileges or user interaction (NVD).

An attacker can exploit this vulnerability to check if older PHP versions are installed or if certain software is installed on the server. This information disclosure could potentially be used to further attack the server. The vulnerability primarily affects instances where UserJS or UserCSS is enabled (GitHub Advisory).

The vulnerability has been patched in FreshRSS version 1.26.2. Users are advised to upgrade to this version or later to address the security issue. The fix includes improvements to the file serving mechanism for symlinked extensions (GitHub Patch).