Unrated severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
FreshRSS has Incomplete Session Termination on Logout
CVE-2025-54592
Description
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/FreshRSS/FreshRSS/pull/7762mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/releases/tag/1.27.0mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.