CVE-2025-61586: 
NixOS vulnerability analysis and mitigation

FreshRSS, a free self-hostable RSS aggregator, was found to contain a directory enumeration vulnerability (CVE-2025-61586) in versions 1.26.3 and below. The vulnerability was discovered in September 2025 and allows attackers to gain additional information about the server by checking if certain directories exist through manipulation of the theme field (GitHub Advisory).

The vulnerability stems from improper validation of the theme field in the display settings. An attacker could set paths in the theme field to enumerate directories, such as checking for specific user directories or system paths. The vulnerability is tracked with a CVSS 3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability allows attackers to gather information about the server environment by checking for the existence of specific directories. This could reveal information about installed PHP versions, presence of certain software, and user accounts, which could potentially be leveraged for further attacks against the server (GitHub Advisory).

The vulnerability has been patched in FreshRSS version 1.27.0. The fix includes validation of theme paths and disallowing setting of non-existent themes through commit 6549932 (GitHub Commit).