Home > Vulnerability Database > CVE-2025-54592

Mend.io Vulnerability Database

CVE-2025-54592

Good to know:

Date: September 29, 2025

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0

Severity Score

9.1

Related Resources (5)

Url: https://github.com/FreshRSS/FreshRSS/pull/7762

Url: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr

Url: https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-54592

Url: https://www.mend.io/vulnerability-database/CVE-2025-54592

Severity Score

9.1

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version https://github.com/FreshRSS/FreshRSS.git - 1.27.0

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-54592

Good to know:

Date: September 29, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?