CVE-2025-68148
MEDIUMFreshrss < 1.28.0 - Resource Allocation Without Limits
Title source: ruleDescription
FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.
References (3)
Core 3
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
Issue Tracking x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/8029
Scores
CVSS v3
4.3
EPSS
0.0002
EPSS Percentile
5.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (1)
freshrss/freshrss
1.27.0 - 1.28.0
Published
Dec 27, 2025
Tracked Since
Feb 18, 2026