CVE-2025-61586: 
NixOS vulnerability analysis and mitigation

FreshRSS, a free self-hostable RSS aggregator, was found to contain a directory enumeration vulnerability (CVE-2025-61586) in versions 1.26.3 and below. The vulnerability was discovered in September 2025 and allows attackers to gain additional information about the server by checking if certain directories exist through the theme field setting (GitHub Advisory, NVD).

The vulnerability exists in the theme field setting functionality where an attacker could manipulate the path parameter to enumerate directories. The issue received a CVSS v4.0 Base Score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 Base Score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers to gather information about the server environment by checking for the existence of specific directories. This could include detecting older PHP versions or installed software, potentially providing attackers with valuable reconnaissance information for further attacks (GitHub Advisory).

The vulnerability has been fixed in FreshRSS version 1.27.0. The patch implements proper validation of theme paths and disallows setting non-existent themes. Users are advised to upgrade to version 1.27.0 or later to address this security issue (GitHub Commit).