Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-46341

CVE-2025-46341: FreshRSS Auth Bypass Vulnerability

CVE-2025-46341 is an authentication bypass flaw in FreshRSS that allows attackers to impersonate users and escalate privileges. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-46341 Overview

FreshRSS is a self-hosted RSS feed aggregator deployed by individuals and organizations to centralize feed reading. CVE-2025-46341 affects FreshRSS instances configured to use HTTP authentication behind a reverse proxy. Attackers with a valid account can impersonate any user, including administrators, by injecting the Remote-User or X-WebAuth-User headers through the add-feed functionality. Exploitation requires the proxied instance IP address, the admin's username, and Cross-Site Request Forgery (CSRF) token extraction via XPath scraping. The flaw is categorized as Server-Side Request Forgery [CWE-918] and is fixed in version 1.26.2.

Critical Impact

Authenticated low-privilege users can escalate to administrator and pivot to internal services through SSRF, unless the deployment uses OpenID Connect (OIDC) authentication.

Affected Products

  • FreshRSS versions prior to 1.26.2
  • FreshRSS deployments using HTTP authentication via reverse proxy
  • Instances trusting Remote-User or X-WebAuth-User headers without filtering

Discovery Timeline

  • 2025-06-04 - CVE-2025-46341 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-46341

Vulnerability Analysis

The vulnerability combines Server-Side Request Forgery with HTTP authentication header trust. FreshRSS's add-feed functionality permits the application to make outbound HTTP requests on behalf of the authenticated user. An attacker leverages this functionality to direct the server to fetch URLs that resolve back to the FreshRSS instance itself.

When the request loops back through the reverse proxy, the attacker controls headers such as Remote-User and X-WebAuth-User. The FreshRSS httpAuthUser() function consumed whichever header was present, allowing the attacker to be authenticated as any chosen account, including the admin. The attacker uses XPath scraping against the fetched response to retrieve the CSRF token tied to the impersonated session, then submits state-changing requests.

Deployments using OpenID Connect (OIDC) are not affected by the privilege escalation path because account identity is derived from token claims rather than proxy-supplied headers.

Root Cause

The httpAuthUser() function in lib/lib_rss.php accepted any of several authentication headers without verifying that exactly one was provided and without validating that the headers originated from the trusted reverse proxy. Multiple competing authentication headers could be present in a single request, and the application selected one without rejecting the ambiguous state.

Attack Vector

The attacker requires a low-privilege account on the FreshRSS instance, knowledge of the proxied instance IP address, and the target admin username. Using the add-feed feature, the attacker triggers a server-side request that loops to the FreshRSS instance with attacker-controlled authentication headers. The response yields the CSRF token via XPath, which the attacker reuses to perform administrative actions.

php
 function httpAuthUser(bool $onlyTrusted = true): string {
+	$auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']);
+	if (count($auths) > 1) {
+		Minz_Log::warning('Multiple HTTP authentication headers!');
+		return '';
+	}
+
 	if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) {
 		return $_SERVER['REMOTE_USER'];
 	}

Source: FreshRSS commit 6bb8680. The patch rejects requests containing more than one HTTP authentication header.

Detection Methods for CVE-2025-46341

Indicators of Compromise

  • Inbound HTTP requests containing both Remote-User and X-WebAuth-User headers on the same connection
  • Add-feed requests where the supplied URL resolves to the FreshRSS host or reverse proxy IP
  • Application logs showing the post-patch warning Multiple HTTP authentication headers!
  • Unexpected administrative actions performed by accounts that recently used the add-feed feature

Detection Strategies

  • Inspect reverse proxy access logs for add-feed (a=add) requests targeting loopback, private, or local addresses
  • Correlate authentication header values against the trusted upstream proxy to detect spoofed identity headers
  • Alert on session activity where the privilege level changes immediately after an add-feed call

Monitoring Recommendations

  • Enable verbose FreshRSS logging and forward Minz_Log warnings to a centralized logging pipeline
  • Monitor outbound HTTP requests from the FreshRSS server destined for its own IP ranges
  • Review administrator account creation and configuration changes against expected change windows

How to Mitigate CVE-2025-46341

Immediate Actions Required

  • Upgrade FreshRSS to version 1.26.2 or later on all instances
  • Audit reverse proxy configuration to strip incoming Remote-User, REDIRECT_REMOTE_USER, and X-WebAuth-User headers from client requests before forwarding
  • Review administrator account activity and CSRF token usage for the period preceding the upgrade
  • Disable the add-feed functionality temporarily if patching cannot be performed immediately

Patch Information

FreshRSS version 1.26.2 contains the fix. The remediation is implemented in commit 6bb8680ae0051b9a2ff344f17814f4fa5d844628 and documented in GitHub Security Advisory GHSA-w3m8-wcf4-h8vm. The patched httpAuthUser() function rejects requests that present more than one recognized HTTP authentication header.

Workarounds

  • Migrate authentication to OpenID Connect (OIDC), which is not affected by the privilege escalation path
  • Configure the reverse proxy to unset attacker-controllable authentication headers on every request
  • Restrict the FreshRSS instance so it cannot make HTTP requests to its own address space
bash
# nginx example: strip client-supplied auth headers before proxying
location / {
    proxy_set_header Remote-User "";
    proxy_set_header REDIRECT_REMOTE_USER "";
    proxy_set_header X-WebAuth-User "";
    proxy_set_header Remote-User $remote_user;
    proxy_pass http://freshrss_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.