CVE-2025-68932 – FreshRSS has weak cryptographic randomness in remember-me token and nonce generation

CVE ID : CVE-2025-68932

Published : Dec. 26, 2025, 11:43 p.m. | 39 minutes ago

Description : FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for “keep me logged in” functionality. This issue has been patched in version 1.28.0.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…