8.2
CVE-2025-68402
- EPSS 0.28%
- Veröffentlicht 09.03.2026 19:41:57
- Zuletzt bearbeitet 28.04.2026 21:11:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]
FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerFreshRSS
≫
Produkt
FreshRSS
Version
< 476e57b04646416e24e24c56133c9fadf9e52b95
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.199 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/FreshRSS/FreshRSS/pull/8061
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp
https://github.com/FreshRSS/FreshRSS/pull/8320
https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95