CVE-2025-54591: 
NixOS vulnerability analysis and mitigation

FreshRSS, a free self-hostable RSS aggregator, was found to contain a security vulnerability (CVE-2025-54591) in versions 1.26.3 and below. The vulnerability was discovered on September 29, 2025, and allows unauthorized users to access information about feeds and tags of default admin users. This exposure occurs due to insufficient access checking in the FreshRSS_Auth::hasAccess() function used by certain tag/feed related endpoints (GitHub Advisory).

The vulnerability stems from missing access controls in several controller actions. While FreshRSS controllers typically implement a firstAction() method to ensure access control, certain endpoints lacked this implementation and failed to perform manual access checks. The affected endpoints include tagController's updateAction, and javascriptController's actualizeAction and nbUnreadsPerFeedAction. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (GitHub Advisory).

The vulnerability allows unauthorized users to view sensitive information about the administrator's feed subscriptions and tags, including the number of unread items. Attackers can access tag names, filter actions, and feed IDs/names in JSON format. Tag IDs can be obtained through incremental bruteforce attempts, as they follow a sequential pattern (GitHub Advisory).

The vulnerability has been fixed in FreshRSS version 1.27.0. As a temporary workaround before upgrading, administrators can create a new separate admin user and set it as the default user in data/config.php, which allows them to preserve privacy on their normally used account (GitHub Release, GitHub Advisory).