CVE-2025-31134 Overview
CVE-2025-31134 is an information disclosure vulnerability in FreshRSS, a self-hosted RSS feed aggregator. Versions prior to 1.26.2 allow an unauthenticated remote attacker to determine whether specific directories exist on the host. An attacker can use this oracle to fingerprint installed PHP versions or other software present on the server. That reconnaissance data can be combined with known exploits to mount follow-on attacks against the underlying host. FreshRSS 1.26.2 contains the fix, which corrects file-serving logic for symlinked third-party extensions in p/ext.php and lib/lib_rss.php. The weakness is tracked under [CWE-201] (Insertion of Sensitive Information Into Sent Data).
Critical Impact
Unauthenticated attackers can probe the FreshRSS host filesystem to discover installed software and PHP versions, enabling targeted follow-on exploitation.
Affected Products
- FreshRSS versions prior to 1.26.2
- FreshRSS self-hosted deployments exposing the p/ext.php endpoint
- Installations using third-party extensions resolved through symlinked directories
Discovery Timeline
- 2025-06-04 - CVE-2025-31134 published to NVD
- 2025-06-10 - Last updated in NVD database
Technical Details for CVE-2025-31134
Vulnerability Analysis
The vulnerability resides in how FreshRSS resolves and serves files for third-party extensions. The extension handler in p/ext.php uses realpath() to validate that a requested file is contained within THIRDPARTY_EXTENSIONS_PATH. When an extension directory is a symbolic link, realpath() resolves the link to its filesystem target outside that path, causing the validation check to fail and the response behavior to differ based on whether the target path exists.
An attacker can request crafted paths through the extension endpoint and observe the response. Differences in HTTP status, response size, or error behavior reveal whether a referenced directory or file is present on the underlying host. The oracle works without authentication and only requires network access to the FreshRSS instance.
The data exposed is limited to existence information about filesystem paths. However, that signal is sufficient to enumerate PHP installations, package directories, and adjacent software. The disclosure aligns with [CWE-201], where application logic unintentionally leaks server-side state to remote requesters.
Root Cause
The root cause is missing handling of symbolic links in the extension path resolution logic. FreshRSS treated realpath() output as authoritative without first checking whether the requested directory was itself a symlink. As a result, the application's response to file requests varied based on the existence of the symlink target.
Attack Vector
Exploitation requires only network access to the FreshRSS web interface. The attacker issues HTTP requests to the extensions endpoint with crafted filenames and infers existence from response differences. No credentials or user interaction are required.
// Patch in lib/lib_rss.php - handle symlinked directories before recursive removal
return true;
}
if (is_link($dir)) {
if (PHP_OS_FAMILY === "Windows") {
return rmdir($dir);
}
return unlink($dir);
}
$files = array_diff(scandir($dir) ?: [], ['.', '..']);
foreach ($files as $filename) {
$filename = $dir . '/' . $filename;
Source: FreshRSS commit 4568111
// Patch in p/ext.php - short-circuit when the extension directory is a symlink
$third_party_extension = realpath(THIRDPARTY_EXTENSIONS_PATH . '/' . $file_name);
if (false !== $third_party_extension) {
$original_dir = THIRDPARTY_EXTENSIONS_PATH . '/' . explode('/', $file_name)[0];
if (is_link($original_dir)) {
return THIRDPARTY_EXTENSIONS_PATH . '/' . $file_name;
}
return $third_party_extension;
}
Source: FreshRSS commit 4568111
Detection Methods for CVE-2025-31134
Indicators of Compromise
- Repeated HTTP GET requests to p/ext.php with varying file_name parameters from a single source IP
- Requests to the extensions endpoint containing path traversal sequences or references to system directories such as /usr/lib/php or /etc
- Anomalous 4xx response patterns from FreshRSS that correlate with directory enumeration
Detection Strategies
- Inspect web server access logs for high-volume scanning against the FreshRSS p/ext.php route
- Alert on requests to FreshRSS extension paths that reference filenames containing absolute paths or .. sequences
- Correlate scanning of the FreshRSS host with subsequent exploitation attempts against PHP or auxiliary services identified through the oracle
Monitoring Recommendations
- Forward FreshRSS web server logs to a centralized analytics platform and baseline normal extension request patterns
- Track the installed FreshRSS version across hosts and flag any instance still running a release earlier than 1.26.2
- Monitor outbound reconnaissance follow-up activity such as targeted requests against the specific PHP version paths probed earlier
How to Mitigate CVE-2025-31134
Immediate Actions Required
- Upgrade FreshRSS to version 1.26.2 or later on all self-hosted instances
- Restrict network exposure of FreshRSS to trusted networks or place the application behind an authenticated reverse proxy
- Review third-party extension directories and remove unnecessary symbolic links pointing outside THIRDPARTY_EXTENSIONS_PATH
Patch Information
The fix is shipped in FreshRSS 1.26.2 via commit 4568111. Details are published in GitHub Security Advisory GHSA-jjm2-4hf7-9x65. The patch adds is_link() checks before path resolution so symlinked extension directories are handled without leaking target existence through realpath() behavior.
Workarounds
- Block public access to the p/ext.php endpoint at the reverse proxy until the upgrade is applied
- Remove or relocate third-party extension symlinks so extension paths resolve only within the FreshRSS installation tree
- Apply rate limiting and request validation rules at the web server to suppress directory enumeration attempts
# Example nginx rule to block direct access to the extension endpoint pending upgrade
location = /p/ext.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
