NIXPKGS-2026-0606

GitHub issue published 3 months, 2 weeks ago

Permalink CVE-2025-62166

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 months, 2 weeks ago by @mweinelt Activity log

Created suggestion 3 months, 2 weeks ago
@mweinelt ignored
7 packages
- freshrss-extensions.demo
- freshrss-extensions.youtube
- freshrss-extensions.auto-ttl
- freshrss-extensions.title-wrap
- freshrss-extensions.reading-time
- freshrss-extensions.reddit-image
- freshrss-extensions.unsafe-auto-login
3 months, 2 weeks ago
@mweinelt accepted 3 months, 2 weeks ago
@mweinelt published on GitHub 3 months, 2 weeks ago

FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8165 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0 x_refsource_MISC

Affected products

FreshRSS

==< 1.28.0

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1

Ignored packages (7)

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

pkgs.freshrss-extensions.reading-time

FreshRSS extension adding a reading time estimation next to each article

nixos-unstable 1.5
- nixpkgs-unstable 1.5
- nixos-unstable-small 1.5

pkgs.freshrss-extensions.reddit-image

FreshRSS extension to process Reddit feeds

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.freshrss-extensions.unsafe-auto-login

FreshRSS extension to bring back unsafe autologin functionality.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

Package maintainers

@Stunkymonkey Felix Bühler <account@buehler.rocks>

https://github.com/NixOS/nixpkgs/pull/473921

Patch not backported

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0606