CVE-2025-31134

| EUVD-2025-16907 HIGH
2025-06-04 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16907
Patch Released
Mar 14, 2026 - 17:29 nvd
Patch available
PoC Detected
Jun 10, 2025 - 15:08 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 20:15 nvd
HIGH 7.5

Tags

PHP Information Disclosure Freshrss

Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.

Analysis

FreshRSS versions prior to 1.26.2 suffer from an information disclosure vulnerability that allows unauthenticated remote attackers to enumerate server directories and infer installed software versions (such as PHP versions) without requiring privileges or user interaction. This information leakage can be weaponized for reconnaissance to identify additional attack surfaces. The vulnerability has a CVSS 3.1 score of 7.5 (High) with a network attack vector and no complexity barriers, making it trivially exploitable at scale.

Technical Context

The vulnerability is rooted in CWE-201 (Information Exposure Through an Error Message), where FreshRSS improperly handles directory access requests, allowing attackers to infer the presence or absence of directories through HTTP response patterns or error messages. This is a path traversal/enumeration issue rather than a logic flaw. The affected product is FreshRSS (CPE: cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*), a self-hosted RSS feed aggregator written in PHP. The vulnerability allows attackers to probe for specific directories (e.g., legacy PHP version directories, configuration paths, or third-party software installations) and correlate response codes or message patterns to determine what software versions or components exist on the target system. This information can be used to identify known vulnerabilities in those specific versions.

Affected Products

FreshRSS (< 1.26.2)

Remediation

Upgrade FreshRSS to version 1.26.2 or later; priority: High; details: The vendor has released version 1.26.2 containing a patch that addresses directory enumeration. Apply this update immediately to all instances. Mitigation (Pre-Patch): Restrict HTTP access via reverse proxy or firewall rules; details: Implement authentication at the reverse proxy/firewall layer (e.g., Basic Auth, OAuth2) to block unauthenticated directory probing. Configure web server (Apache/Nginx) to deny directory listing and return consistent HTTP status codes for all non-existent paths. Mitigation (Pre-Patch): Deploy Web Application Firewall (WAF) rules; details: Use WAF rules to detect and block pattern-based directory enumeration attempts (e.g., probes for common PHP version directories). Detection: Monitor HTTP access logs for directory enumeration patterns; details: Search logs for high volumes of 404 responses to suspicious directory paths (e.g., /php5/, /php7/, /config/, /admin/) from single IP addresses over short time windows.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: +20

Vendor Status

Debian

Bug #1032767
freshrss
Release Status Fixed Version Urgency
open - -

Share

CVE-2025-31134 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy