CVE-2025-54875 — AI Deep Analysis Summary

🚨 **Essence**: FreshRSS has an **Access Control Error**. 📉 **Consequences**: Attackers can create **Admin Accounts** without permission. This leads to full system compromise, data theft, and unauthorized control. 💥

🛡️ **Root Cause**: **CWE-284** (Improper Access Control). The flaw lies in the **Registration Function**. It fails to validate hidden fields, allowing unauthenticated users to bypass security checks. 🔍

📦 **Affected**: **FreshRSS** (Open Source RSS Aggregator). 📅 **Versions**: **1.16.0** through **1.26.3**. If you are on these versions, you are vulnerable! ⚠️

💀 **Attacker Actions**: Gain **Administrator Privileges**. 👑 They can read all feeds, modify settings, inject malicious content, and potentially execute code. Data integrity is completely lost. 📂

🔓 **Threshold**: **LOW**. 🚫 **Auth Required**: None. 📝 **Config**: Only requires **Registration Enabled**. If users can sign up, attackers can exploit this easily. No UI interaction needed. 🏃‍♂️

📜 **Public Exp?**: **Yes**. A GitHub Security Advisory (GHSA-h625-ghr3-jppq) confirms the issue. While no specific PoC code is listed in the data, the vulnerability is confirmed and documented. 🕵️‍♀️

🔍 **Self-Check**: 1. Check your FreshRSS version (1.16.0-1.26.3). 2. Verify if **User Registration** is enabled. 3. Scan for hidden field manipulation in registration requests. 🛠️

✅ **Fixed?**: **Yes**. 🆕 **Patch**: Version **1.27.0** resolves this issue. 📥 **Action**: Upgrade immediately to 1.27.0 or later. Pull request #7783 details the fix. 🔧

🚧 **No Patch?**: **Disable User Registration** immediately. 🚫 Prevent new accounts from being created via the vulnerable endpoint. This is the only effective workaround until patched. 🛑

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Score is **High** (AV:N/AC:L/PR:N). Easy to exploit, no auth needed, full admin access gained. Patch **NOW** to prevent takeover. ⏳