Unrated severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
FreshRSS has Incomplete Session Termination on Logout
CVE-2025-54592
Description
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/FreshRSS/FreshRSS/pull/7762mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/releases/tag/1.27.0mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.