Access Denial Vulnerability in FreshRSS by FreshRSS
CVE-2025-68148

4.3MEDIUM

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
26 December 2025

What is CVE-2025-68148?

FreshRSS, a self-hosted RSS aggregator, is susceptible to an access denial issue affecting versions 1.27.0 through prior to 1.28.0. An attacker can exploit this vulnerability by modifying proxy settings to issue a '429 Retry-After' response for a large set of feeds. This can render the application unusable for most users by denying access to the content they depend on. The vulnerability has been addressed in version 1.28.0, which includes important patches to ensure reliable access to RSS feeds.

Affected Version(s)

FreshRSS >= 1.27.0, < 1.28.0

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8029
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f56...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.