CVE-2025-58173
Published: 16 December 2025
Description
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging…
more
in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user inputs like the language configuration parameter to directly prevent path traversal attacks enabling unauthorized script execution.
Enforces approved access authorizations to block unprivileged users from invoking sensitive administrative scripts such as install.php via path traversal.
Limits privileges to the minimum necessary, reducing the impact of escalation to admin actions even if path traversal partially succeeds.
Security SummaryAI
CVE-2025-58173 is a path traversal vulnerability (CWE-22, CWE-20) in the `language` user configuration parameter of FreshRSS, a self-hosted RSS feed aggregator. Affecting versions 1.23.0 through 1.27.0, the flaw allows attackers to invoke the `install.php` script, enabling unprivileged users to execute various administrative functions. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise.
An authenticated user with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. Successful exploitation grants the ability to impersonate the admin account, create new admin users, or reconfigure the database connection to an attacker-controlled MySQL server. From there, attackers can insert malicious `curl_params` into the `feed` table, leading to arbitrary code execution within the FreshRSS environment.
Mitigation is addressed in FreshRSS version 1.27.1, which patches the path traversal issue through changes in user configuration handling and install script access controls, as detailed in GitHub commits such as 79604aa4b3051f083d1734bd9e82c6a89d785c5a, dbbae15a8458679db0f4540dacdbdcff9c02ec8c, and ee175dd6169a016fc898fac62d046e22c205dec0, along with pull requests #7878 and #7971. Security practitioners should upgrade to 1.27.1 immediately and review access controls for unprivileged users.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables low-privileged authenticated users to invoke install.php for administrative actions, facilitating exploitation for privilege escalation (T1068) and local account creation (T1136.001).