CVE-2025-58173 HIGH

CVE-2025-58173: FreshRSS vulnerable to authenticated RCE via path traversal inside include()

Vendor Freshrss
Product FreshRSS
Weakness CWE-20 · Input validation
Published December 15, 2025
Last update December 16, 2025

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.

Key dates

02Disclosure timeline

December 15, 2025 CVE published
December 16, 2025 Record updated