CVE-2025-54592
CRITICALFreshRSS < 1.27.0 - Insufficient Session Expiration during Logout
Title source: llmDescription
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr
Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7762
Release Notes x_refsource_misc
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
Scores
CVSS v3
9.8
EPSS
0.0048
EPSS Percentile
37.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (1)
freshrss/freshrss
< 1.27.0
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026