Weak Random Number Generation in FreshRSS Leads to Authentication Risks
CVE-2025-68932

2.9LOW

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
26 December 2025

What is CVE-2025-68932?

FreshRSS, a self-hostable RSS aggregator, previously utilized weak random number generators for creating authentication tokens and nonces. This vulnerability allowed potential attackers to predict valid session tokens, which could result in account takeover through persistent session hijacking. Affected users who opted for the 'remember me' feature were particularly at risk, as these tokens provided permanent authentication without additional credential checks. The issue has been resolved in version 1.28.0.

Affected Version(s)

FreshRSS < 1.28.0

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8061
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2d...
x_refsource_MISC

CVSS V4

Score:
2.9
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.