CVE-2025-59950: 
NixOS vulnerability analysis and mitigation

FreshRSS, a free, self-hostable RSS aggregator, was found to contain a double clickjacking vulnerability in versions 1.26.3 and below (CVE-2025-59950). The vulnerability was discovered in late September 2025 and affects the user management functionality of the application (GitHub Advisory).

The vulnerability stems from a bypass of double clickjacking protection in the confirmation dialog system. When accessing the user details page with an 'ajax=1' parameter (e.g., /i/?c=user&a=details&username=test2&ajax=1), the page loads without JavaScript protection, circumventing the intended clickjacking safeguards. The vulnerability is tracked as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) and has received a CVSS v3.1 score of 6.7 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L (GitHub Advisory).

A successful exploitation of this vulnerability allows attackers to promote themselves to administrator status and gain access to other users' accounts. The attack requires knowledge of the specific instance URL being targeted. The vulnerability affects the application's security model by bypassing standard browser clickjacking protections, making it exploitable from any malicious webpage (GitHub Advisory).

The vulnerability has been patched in FreshRSS version 1.27.0. The fix was implemented through pull request #7771, which improves the security of forms for user details. Users are strongly advised to upgrade to version 1.27.0 or later to protect against this vulnerability (FreshRSS Release).