CVE-2025-46341 Overview
FreshRSS is a self-hosted RSS feed aggregator deployed by individuals and organizations to centralize feed reading. CVE-2025-46341 affects FreshRSS instances configured to use HTTP authentication behind a reverse proxy. Attackers with a valid account can impersonate any user, including administrators, by injecting the Remote-User or X-WebAuth-User headers through the add-feed functionality. Exploitation requires the proxied instance IP address, the admin's username, and Cross-Site Request Forgery (CSRF) token extraction via XPath scraping. The flaw is categorized as Server-Side Request Forgery [CWE-918] and is fixed in version 1.26.2.
Critical Impact
Authenticated low-privilege users can escalate to administrator and pivot to internal services through SSRF, unless the deployment uses OpenID Connect (OIDC) authentication.
Affected Products
- FreshRSS versions prior to 1.26.2
- FreshRSS deployments using HTTP authentication via reverse proxy
- Instances trusting Remote-User or X-WebAuth-User headers without filtering
Discovery Timeline
- 2025-06-04 - CVE-2025-46341 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-46341
Vulnerability Analysis
The vulnerability combines Server-Side Request Forgery with HTTP authentication header trust. FreshRSS's add-feed functionality permits the application to make outbound HTTP requests on behalf of the authenticated user. An attacker leverages this functionality to direct the server to fetch URLs that resolve back to the FreshRSS instance itself.
When the request loops back through the reverse proxy, the attacker controls headers such as Remote-User and X-WebAuth-User. The FreshRSS httpAuthUser() function consumed whichever header was present, allowing the attacker to be authenticated as any chosen account, including the admin. The attacker uses XPath scraping against the fetched response to retrieve the CSRF token tied to the impersonated session, then submits state-changing requests.
Deployments using OpenID Connect (OIDC) are not affected by the privilege escalation path because account identity is derived from token claims rather than proxy-supplied headers.
Root Cause
The httpAuthUser() function in lib/lib_rss.php accepted any of several authentication headers without verifying that exactly one was provided and without validating that the headers originated from the trusted reverse proxy. Multiple competing authentication headers could be present in a single request, and the application selected one without rejecting the ambiguous state.
Attack Vector
The attacker requires a low-privilege account on the FreshRSS instance, knowledge of the proxied instance IP address, and the target admin username. Using the add-feed feature, the attacker triggers a server-side request that loops to the FreshRSS instance with attacker-controlled authentication headers. The response yields the CSRF token via XPath, which the attacker reuses to perform administrative actions.
function httpAuthUser(bool $onlyTrusted = true): string {
+ $auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']);
+ if (count($auths) > 1) {
+ Minz_Log::warning('Multiple HTTP authentication headers!');
+ return '';
+ }
+
if (!empty($_SERVER['REMOTE_USER']) && is_string($_SERVER['REMOTE_USER'])) {
return $_SERVER['REMOTE_USER'];
}
Source: FreshRSS commit 6bb8680. The patch rejects requests containing more than one HTTP authentication header.
Detection Methods for CVE-2025-46341
Indicators of Compromise
- Inbound HTTP requests containing both Remote-User and X-WebAuth-User headers on the same connection
- Add-feed requests where the supplied URL resolves to the FreshRSS host or reverse proxy IP
- Application logs showing the post-patch warning Multiple HTTP authentication headers!
- Unexpected administrative actions performed by accounts that recently used the add-feed feature
Detection Strategies
- Inspect reverse proxy access logs for add-feed (a=add) requests targeting loopback, private, or local addresses
- Correlate authentication header values against the trusted upstream proxy to detect spoofed identity headers
- Alert on session activity where the privilege level changes immediately after an add-feed call
Monitoring Recommendations
- Enable verbose FreshRSS logging and forward Minz_Log warnings to a centralized logging pipeline
- Monitor outbound HTTP requests from the FreshRSS server destined for its own IP ranges
- Review administrator account creation and configuration changes against expected change windows
How to Mitigate CVE-2025-46341
Immediate Actions Required
- Upgrade FreshRSS to version 1.26.2 or later on all instances
- Audit reverse proxy configuration to strip incoming Remote-User, REDIRECT_REMOTE_USER, and X-WebAuth-User headers from client requests before forwarding
- Review administrator account activity and CSRF token usage for the period preceding the upgrade
- Disable the add-feed functionality temporarily if patching cannot be performed immediately
Patch Information
FreshRSS version 1.26.2 contains the fix. The remediation is implemented in commit 6bb8680ae0051b9a2ff344f17814f4fa5d844628 and documented in GitHub Security Advisory GHSA-w3m8-wcf4-h8vm. The patched httpAuthUser() function rejects requests that present more than one recognized HTTP authentication header.
Workarounds
- Migrate authentication to OpenID Connect (OIDC), which is not affected by the privilege escalation path
- Configure the reverse proxy to unset attacker-controllable authentication headers on every request
- Restrict the FreshRSS instance so it cannot make HTTP requests to its own address space
# nginx example: strip client-supplied auth headers before proxying
location / {
proxy_set_header Remote-User "";
proxy_set_header REDIRECT_REMOTE_USER "";
proxy_set_header X-WebAuth-User "";
proxy_set_header Remote-User $remote_user;
proxy_pass http://freshrss_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

