CVE-2025-62166 Overview
CVE-2025-62166 is an authentication bypass vulnerability affecting FreshRSS, a free, self-hostable RSS aggregator. A bug in the authentication logic related to master authentication tokens allows attackers to bypass access restrictions. Under normal circumstances, only the default user's feed should be viewable when anonymous viewing is enabled, with feeds of other users remaining private. However, this vulnerability allows unauthorized access to private user feeds by circumventing the intended authentication restrictions.
Critical Impact
Unauthorized access to private RSS feeds of all users when anonymous viewing is enabled, exposing potentially sensitive subscription data and reading habits.
Affected Products
- FreshRSS versions prior to 1.28.0
Discovery Timeline
- 2026-03-09 - CVE CVE-2025-62166 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-62166
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) in FreshRSS's authentication handling. The application implements a master authentication token system to manage user access to RSS feeds. When anonymous viewing is enabled, the system should restrict access so that only the default user's feeds are publicly viewable while other users' feeds remain protected.
The flaw exists in how the authentication logic validates master tokens during feed access requests. Due to a bug in this validation process, the restriction mechanism is bypassed entirely, allowing unauthenticated users to access feeds belonging to any user account, not just the default user. This effectively negates the privacy controls that users expect when configuring their FreshRSS instance to allow limited anonymous access.
The vulnerability is exploitable over the network without requiring any user interaction or prior authentication.
Root Cause
The root cause is a logic error in the authentication check for master authentication tokens. The validation routine fails to properly enforce user-level restrictions when processing requests to view RSS feeds. This improper access control allows the authentication check to pass for users who should not have access to specific feed content, resulting in information disclosure.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying a FreshRSS instance with anonymous viewing enabled
- Crafting requests that leverage the flawed master token authentication logic
- Accessing private feeds belonging to users other than the default user
The vulnerability allows attackers to enumerate and retrieve subscription data, feed content, and potentially sensitive information about users' reading habits and interests.
For technical implementation details, refer to the GitHub Pull Request Discussion and the GitHub Security Advisory.
Detection Methods for CVE-2025-62166
Indicators of Compromise
- Unusual access patterns to user feed endpoints from unauthenticated sessions
- Multiple requests accessing different user feeds from the same source IP without proper authentication
- Access logs showing retrieval of private feeds by anonymous users
- Anomalous traffic patterns targeting feed API endpoints
Detection Strategies
- Review web server access logs for unauthorized access to /api/ or feed endpoints for non-default users
- Monitor for authentication bypass attempts by correlating session data with accessed resources
- Implement alerting for access to private feeds from unauthenticated sources
- Deploy web application firewall rules to detect suspicious feed access patterns
Monitoring Recommendations
- Enable verbose logging for authentication events in FreshRSS
- Monitor for bulk feed enumeration attempts
- Track access patterns to user-specific feed URLs
- Implement rate limiting on feed access endpoints to slow potential exploitation
How to Mitigate CVE-2025-62166
Immediate Actions Required
- Upgrade FreshRSS to version 1.28.0 or later immediately
- Temporarily disable anonymous viewing if upgrade cannot be performed immediately
- Review access logs for signs of unauthorized feed access
- Audit user feeds for any sensitive or private information that may have been exposed
Patch Information
FreshRSS has released version 1.28.0 which addresses this vulnerability. The fix corrects the authentication logic to properly enforce user-level access restrictions when master authentication tokens are used.
Workarounds
- Disable anonymous viewing feature until the patch can be applied
- Restrict network access to the FreshRSS instance using firewall rules
- Implement reverse proxy authentication to add an additional authentication layer
- Configure web server access controls to limit access to trusted IP ranges
# Example: Disable anonymous viewing in FreshRSS config
# Edit config.php and set:
# 'allow_anonymous' => false,
# Example: Restrict access via nginx
location /i/ {
allow 192.168.1.0/24;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
