CVE-2025-68148 MEDIUM

CVE-2025-68148: FreshRSS globally denies access to feed via proxy modifying to 429 Retry-After

Vendor Freshrss
Product FreshRSS
Weakness CWE-770 · Uncontrolled resource consumption
Published December 26, 2025
Last update December 29, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

Key dates

02Disclosure timeline

December 26, 2025 CVE published
December 29, 2025 Record updated