CVE-2025-31134 is a medium severity vulnerability affecting FreshRSS, a self-hosted RSS feed aggregator, in versions prior to 1.26.2. The vulnerability is categorized under CWE-201, which involves the insertion of sensitive information into sent data. Specifically, an attacker can remotely probe the server hosting FreshRSS to determine the existence of certain directories. This reconnaissance can reveal critical information such as the presence of older PHP versions or other installed software components. Such information disclosure can aid attackers in crafting more targeted and effective attacks by identifying potential weaknesses or unpatched software on the server. The vulnerability requires no authentication or user interaction and can be exploited over the network, making it accessible to any remote attacker. The CVSS 4.0 base score is 5.5 (medium), reflecting the moderate impact of information disclosure without direct compromise of confidentiality, integrity, or availability. The issue was addressed in FreshRSS version 1.26.2, which includes patches to prevent directory existence checks from leaking sensitive server information. No known exploits are currently reported in the wild, but the vulnerability presents a risk by facilitating attacker reconnaissance.

For European organizations using FreshRSS for internal or public RSS feed aggregation, this vulnerability poses a risk primarily through information disclosure. Attackers can gather intelligence about server configurations, such as outdated PHP versions or installed software, which can be leveraged to identify further exploitable vulnerabilities. This can lead to subsequent attacks that compromise confidentiality, integrity, or availability of organizational data and services. While the vulnerability itself does not directly allow code execution or data manipulation, it lowers the attacker's effort and increases the likelihood of successful exploitation of other vulnerabilities. Organizations in sectors with high reliance on web services, such as media, education, and government entities, may be particularly impacted if FreshRSS is part of their infrastructure. Additionally, since FreshRSS is self-hosted, the security posture depends heavily on the administrators’ patch management and server hardening practices. Failure to update to version 1.26.2 or later leaves organizations exposed to reconnaissance activities that can precede more severe attacks.

European organizations should immediately upgrade all FreshRSS instances to version 1.26.2 or later to apply the official patch addressing this vulnerability. Beyond patching, administrators should implement strict access controls to limit exposure of the FreshRSS server to trusted networks only, reducing the attack surface. Employing web application firewalls (WAFs) can help detect and block suspicious probing activities targeting directory enumeration. Regularly auditing server configurations and removing or restricting access to legacy software versions, such as outdated PHP installations, will reduce the value of information disclosed if reconnaissance occurs. Additionally, monitoring server logs for unusual directory access patterns can provide early indicators of attempted exploitation. Organizations should also consider network segmentation to isolate FreshRSS servers from critical infrastructure and apply the principle of least privilege to all services and users interacting with the server.