NIXPKGS-2026-0608

GitHub issue published 3 months, 2 weeks ago

Permalink CVE-2025-68402

updated 3 months, 2 weeks ago by @mweinelt Activity log

Created suggestion 3 months, 2 weeks ago
@mweinelt ignored
7 packages
- freshrss-extensions.demo
- freshrss-extensions.youtube
- freshrss-extensions.auto-ttl
- freshrss-extensions.title-wrap
- freshrss-extensions.reading-time
- freshrss-extensions.reddit-image
- freshrss-extensions.unsafe-auto-login
3 months, 2 weeks ago
@mweinelt accepted 3 months, 2 weeks ago
@mweinelt published on GitHub 3 months, 2 weeks ago

FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8061 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/pull/8320 x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95 x_refsource_MISC

Affected products

FreshRSS

==< 476e57b04646416e24e24c56133c9fadf9e52b95

Matching in nixpkgs

pkgs.freshrss

FreshRSS is a free, self-hostable RSS aggregator

nixos-unstable 1.28.1
- nixpkgs-unstable 1.28.1
- nixos-unstable-small 1.28.1

Ignored packages (7)

pkgs.freshrss-extensions.demo

FreshRSS Extension for the demo version

nixos-unstable 2023-12-22
- nixpkgs-unstable 2023-12-22
- nixos-unstable-small 2023-12-22

pkgs.freshrss-extensions.youtube

FreshRSS extension allows you to directly watch YouTube/PeerTube videos from within subscribed channel feeds

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

pkgs.freshrss-extensions.auto-ttl

FreshRSS extension for automatic feed refresh TTL based on the average frequency of entries

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0

pkgs.freshrss-extensions.title-wrap

FreshRSS extension instead of truncating the title is wrapped

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

pkgs.freshrss-extensions.reading-time

FreshRSS extension adding a reading time estimation next to each article

nixos-unstable 1.5
- nixpkgs-unstable 1.5
- nixos-unstable-small 1.5

pkgs.freshrss-extensions.reddit-image

FreshRSS extension to process Reddit feeds

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.freshrss-extensions.unsafe-auto-login

FreshRSS extension to bring back unsafe autologin functionality.

nixos-unstable 2025-12-26
- nixpkgs-unstable 2025-12-26
- nixos-unstable-small 2025-12-26

Package maintainers

@Stunkymonkey Felix Bühler <account@buehler.rocks>

https://github.com/NixOS/nixpkgs/pull/473921

Patches not backported yet.

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0608