CVE-2025-31136

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.26.2

Description The issue allows an attacker to run arbitrary JavaScript on the feeds page by combining a cross-site scripting (XSS) issue in f.php with the lack of Content Security Policy (CSP) when SVG favicons are downloaded from an attacker-controlled feed. This can be achieved by embedding a malicious favicon in an iframe with specific attributes. The attacker needs to control one of the feeds that the victim is subscribed to and have an account on the FreshRSS instance. The vulnerability can be exploited in two ways, one requiring user interaction and the other firing instantly after the user adds the feed or logs into the account. This can lead to the attacker gaining access to the victim's account, and if the victim is an admin, it could result in damage such as deleting all users or executing arbitrary code on the server.

Recommendations For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the f.php file or disabling the lazy image loading functionality until the update is applied. Additionally, restrict the use of iframes with the sandbox="allow-scripts allow-same-origin" attribute to minimize the risk of exploitation.