CVE-2025-68402

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.27.2-dev

Description FreshRSS, a self-hostable RSS aggregator, contains a flaw related to password verification. A change in the length of the nonce, from 40 to 64 characters (between commits 57e1a37 and 00f2f04), causes the password verify() function to be called with a constructed string instead of the raw user password. This constructed string consists of a SHA-256 nonce combined with a portion of a bcrypt hash. Due to bcrypt’s 72-byte input truncation, this allows password verification to succeed even with an incorrect password. The issue was present in the edge branch but not in stable releases.

Recommendations Update to version 1.27.2-dev or later.