CVE-2025-31482: FreshRSS vulnerable to DoS by malicious feed entry loading logout URL

4.3 CVSS

Description

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.

Classification

CVE ID: CVE-2025-31482

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Problem Types

CWE-352: Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: FreshRSS

Product: FreshRSS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.88% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-31482
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp

Timeline

2025-06-04 20:40:22 UTC
CVE

FreshRSS vulnerable to DoS by malicious feed entry loading logout URL