CVE-2025-54593 Overview
CVE-2025-54593 is a remote code execution vulnerability in FreshRSS, a self-hostable RSS aggregator. The flaw affects versions 1.26.1 and earlier. An authenticated administrator can modify the auto-update URL to point to an attacker-controlled server, then trigger an update to load and execute arbitrary code on the FreshRSS host. The issue is tracked under CWE-94 (Improper Control of Generation of Code). It is fixed in FreshRSS version 1.26.2.
Critical Impact
Successful exploitation allows arbitrary code execution on the server, exfiltration of hashed user credentials, defacement when filesystem permissions permit, and injection of malicious code that captures plaintext passwords at login.
Affected Products
- FreshRSS versions 1.26.1 and below
- Self-hosted FreshRSS instances exposing the administrator configuration interface
- Fixed in FreshRSS version 1.26.2
Discovery Timeline
- 2025-08-01 - CVE-2025-54593 published to NVD
- 2025-08-01 - FreshRSS releases version 1.26.2 with security patch via GitHub Pull Request #7477
- 2025-08-25 - Last updated in NVD database
Technical Details for CVE-2025-54593
Vulnerability Analysis
FreshRSS exposes an administrator setting named auto_update_url that controls where the application fetches update payloads. In vulnerable versions, the configuration controller accepted this value directly from HTTP form input and persisted it to system configuration. When an administrator subsequently triggered the update routine, FreshRSS fetched code from the attacker-controlled URL and executed it in the application context.
The vulnerability requires administrator privileges, but the resulting impact is full server-side code execution. Once code runs in the FreshRSS process, attackers can read the application database to exfiltrate hashed passwords, modify PHP source files when permissions allow, and inject hooks into the authentication flow to capture plaintext credentials at the next login.
Root Cause
The root cause is improper control of code generation: a privileged, but user-controllable, configuration field directly governed where executable update content was fetched from. The auto_update_url property on SystemConfiguration was writable through configureController.php, with no allowlist, signature verification, or integrity check on the resulting download.
Attack Vector
An attacker who has compromised or controls an administrator account submits a modified system configuration with auto-update-url pointing to a server they control. They host a malicious update payload at that URL, then invoke the FreshRSS update mechanism. FreshRSS retrieves and executes the payload, granting code execution under the FreshRSS service account.
// Security patch in app/Controllers/configureController.php
// Removes administrator's ability to set auto_update_url at runtime
$limits['cookie_duration'] = Minz_Request::paramInt('cookie-duration') ?: FreshRSS_Auth::DEFAULT_COOKIE_DURATION;
FreshRSS_Context::systemConf()->limits = $limits;
FreshRSS_Context::systemConf()->title = Minz_Request::paramString('instance-name') ?: 'FreshRSS';
- FreshRSS_Context::systemConf()->auto_update_url = Minz_Request::paramString('auto-update-url');
FreshRSS_Context::systemConf()->force_email_validation = Minz_Request::paramBoolean('force-email-validation');
FreshRSS_Context::systemConf()->save();
Source: GitHub commit dbdadbb
// Security patch in app/Models/SystemConfiguration.php
// auto_update_url is now read-only at the model level
* @property bool $api_enabled
* @property string $archiving
* @property 'form'|'http_auth'|'none' $auth_type
- * @property string $auto_update_url
+ * @property-read string $auto_update_url
* @property-read array<int,mixed> $curl_options
* @property string $default_user
* @property string $email_validation_token
Source: GitHub commit dbdadbb
Detection Methods for CVE-2025-54593
Indicators of Compromise
- Unexpected values in the FreshRSS system configuration auto_update_url field that do not match the project's official update endpoint.
- Outbound HTTP requests from the FreshRSS host to unfamiliar domains during update execution.
- Newly created or modified PHP files under the FreshRSS installation directory with recent timestamps.
- New or altered authentication-related code paths that log credentials or write to unusual locations.
Detection Strategies
- Review HTTP POST requests to the FreshRSS configure endpoint that include the auto-update-url parameter, and alert on any value pointing outside approved domains.
- Monitor the FreshRSS web server process for spawning child processes such as sh, bash, php, or curl, which is uncommon for normal RSS aggregation.
- Track file integrity on FreshRSS application directories and flag deviations from the released 1.26.2 distribution.
Monitoring Recommendations
- Enable application audit logging for administrator configuration changes and forward those events to a central log store.
- Capture egress network telemetry from the FreshRSS host and alert on connections to non-allowlisted hosts during update windows.
- Watch authentication logs for new or modified administrator accounts that could be used to reach the vulnerable configuration page.
How to Mitigate CVE-2025-54593
Immediate Actions Required
- Upgrade FreshRSS to version 1.26.2 or later, which removes administrator write access to auto_update_url.
- Rotate all FreshRSS user passwords after upgrading, since hashed credentials may have been exfiltrated on compromised instances.
- Audit administrator accounts and remove any unexpected users or API tokens created during the exposure window.
- Inspect the FreshRSS installation directory for unauthorized file modifications and restore from a known-good source if tampering is found.
Patch Information
The fix is delivered in FreshRSS release 1.26.2 through Pull Request #7477. The patch declares the auto_update_url property as @property-read in SystemConfiguration.php and removes the line in configureController.php that assigned it from the HTTP request. See the GitHub Security Advisory GHSA-jcww-48g9-wf57 for the full disclosure.
Workarounds
- Restrict network egress from the FreshRSS host so that only the official update domain is reachable.
- Limit access to the FreshRSS administrative interface to trusted networks via reverse proxy ACLs or VPN.
- Enforce strong authentication and multi-factor protection on all FreshRSS administrator accounts to reduce the chance of abuse.
# Upgrade FreshRSS to the patched version (Docker example)
docker pull freshrss/freshrss:1.26.2
docker stop freshrss && docker rm freshrss
docker run -d --name freshrss \
-v freshrss_data:/var/www/FreshRSS/data \
-v freshrss_extensions:/var/www/FreshRSS/extensions \
-p 8080:80 \
freshrss/freshrss:1.26.2
# Verify the installed version
docker exec freshrss cat /var/www/FreshRSS/constants.php | grep FRESHRSS_VERSION
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

