Unrated severityOSV Advisory· Published Dec 26, 2025· Updated Dec 29, 2025
FreshRSS has weak cryptographic randomness in remember-me token and nonce generation
CVE-2025-68932
Description
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8eff5772mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/pull/8061mitrex_refsource_MISC
- github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.