CVE-2025-68932

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.28.0

Description FreshRSS utilizes weak random number generators (mt rand() and uniqid()) for creating remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, potentially leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are used for the "keep me logged in" feature.

Recommendations Update to version 1.28.0 or later.