How to fix EUVD-2025-16930?

Within 24 hours: Identify all FreshRSS deployments using HTTP auth via reverse proxy and assess their exposure. Within 7 days: Apply vendor patch to upgrade FreshRSS to version 1.26.2 or later across all affected instances. Within 30 days: Conduct access log review for suspicious Remote-User and X-WebAuth-User header abuse, and implement monitoring for anomalous feed addition activities.

Is Freshrss affected by EUVD-2025-16930?

FreshRSS instances using HTTP authentication via reverse proxy are vulnerable to user impersonation and privilege escalation attacks.

EUVD-2025-16930

| CVE-2025-46341 HIGH

2025-06-04 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16930

Patch Released

Mar 14, 2026 - 17:29 nvd

Patch available

PoC Detected

Aug 12, 2025 - 15:34 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 21:15 nvd

HIGH 7.1

Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance. An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation. Version 1.26.2 contains a patch for the issue.

Analysis

Critical authentication bypass vulnerability in FreshRSS versions prior to 1.26.2 that allows authenticated attackers to impersonate any user, including administrators, by exploiting improper HTTP authentication header validation in reverse proxy configurations. Attackers with a valid account can craft requests leveraging CSRF token extraction via XPath scraping and spoofed Remote-User or X-WebAuth-User headers to gain unauthorized access and privilege escalate. The vulnerability requires moderate attack complexity (knowledge of target IP and admin username) but has high real-world impact due to the authentication bypass and privilege escalation chain.

Technical Context

FreshRSS is a self-hosted RSS feed aggregator that supports HTTP authentication via reverse proxy configurations (CWE-918: Server-Side Request Forgery). The vulnerability stems from insufficient validation of trusted authentication headers (Remote-User and X-WebAuth-User) in reverse proxy deployments. When a reverse proxy is configured to handle authentication and forward user identity via headers, FreshRSS fails to properly validate the source and integrity of these headers. Attackers exploit this through the add feed functionality to extract CSRF tokens via XPath scraping, then craft malicious requests with spoofed authentication headers. The root cause is trust in unvalidated upstream headers without proper authentication context verification. Affected versions: FreshRSS < 1.26.2. The vulnerability is specific to deployments using reverse proxy-based HTTP authentication; standard authentication mechanisms are not affected.

Affected Products

FreshRSS versions < 1.26.2 are vulnerable. Specific vulnerable version range: all versions prior to 1.26.2. Affected configurations: FreshRSS instances behind reverse proxies configured to handle HTTP authentication and forward user identity via Remote-User or X-WebAuth-User headers. Non-affected configurations: FreshRSS instances using OIDC authentication (explicitly noted as not vulnerable to privilege escalation). CPE information not provided in source data, but affected product can be identified as: freshRSS feed aggregator software in self-hosted deployment scenarios. Patch version: FreshRSS 1.26.2 and later. No vendor advisory URL provided in source data.

Remediation

Immediate remediation: (1) Upgrade FreshRSS to version 1.26.2 or later, which contains the patch for header validation; (2) If immediate upgrade is not possible, review reverse proxy configuration and implement additional header validation at the proxy level to ensure authentication headers cannot be spoofed; (3) Implement network-level access controls to restrict direct access to FreshRSS instance, limiting exposure to reverse proxy only; (4) Migrate to OIDC authentication if feasible, as users with OIDC configurations are not affected by the privilege escalation chain; (5) Audit logs for suspicious authentication header patterns or impersonation attempts using monitoring on Remote-User and X-WebAuth-User header values; (6) Implement rate limiting and CSRF token binding improvements to make token extraction via XPath scraping more difficult. Workarounds: Disable reverse proxy HTTP authentication temporarily and use FreshRSS native authentication until patch is applied.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

Vendor Status

Debian

Bug #1032767

freshrss

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2025-16930 vulnerability details – vuln.today

Back

EUVD-2025-16930

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

EUVD-2025-16930

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code