CVE-2025-46341 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting FreshRSS, a popular self-hosted RSS feed aggregator, in versions prior to 1.26.2. The vulnerability arises when FreshRSS is deployed behind a reverse proxy that uses HTTP authentication. An attacker who knows the IP address of the proxied FreshRSS instance, the administrator's username, and who also has a valid user account on the instance, can exploit this flaw. By crafting malicious requests through the 'add feed' functionality and extracting the CSRF token via XPath scraping, the attacker can impersonate any user by manipulating the 'Remote-User' or 'X-WebAuth-User' HTTP headers. This impersonation enables unauthorized access to internal services and can lead to privilege escalation, allowing the attacker to gain higher privileges than their original account. Notably, setups using OpenID Connect (OIDC) for authentication are not vulnerable to the privilege escalation aspect of this issue. The vulnerability is tracked under CWE-918 (SSRF), which involves an attacker inducing the server to make HTTP requests to arbitrary locations, potentially bypassing network access controls. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity level, with the attack vector being network-based, requiring low privileges and no user interaction, and impacting confidentiality significantly. The vulnerability was publicly disclosed on June 4, 2025, and patched in FreshRSS version 1.26.2. No known exploits are reported in the wild as of the publication date.

For European organizations using FreshRSS instances, especially those self-hosted behind reverse proxies with HTTP authentication, this vulnerability poses a significant risk. Exploitation can lead to unauthorized access to internal services, potentially exposing sensitive information or internal network resources. The privilege escalation capability means that attackers with limited user accounts can elevate their privileges, compromising the integrity of the system and potentially gaining administrative control. This could lead to data breaches, unauthorized data manipulation, or disruption of RSS feed services. Organizations relying on FreshRSS for internal communications or information aggregation may face confidentiality breaches and operational disruptions. The fact that OIDC setups are not affected by privilege escalation reduces risk for organizations using modern authentication methods, but many European entities may still use HTTP auth via reverse proxies, especially in legacy or smaller deployments. The absence of known exploits in the wild suggests a window of opportunity for proactive patching before widespread attacks occur.

European organizations should immediately upgrade all FreshRSS instances to version 1.26.2 or later to apply the official patch addressing CVE-2025-46341. For those unable to upgrade promptly, it is critical to review and restrict access to the FreshRSS instance, ensuring that only trusted IP addresses can reach the service, thereby reducing the attack surface. Additionally, organizations should consider migrating authentication mechanisms from HTTP auth via reverse proxy to more secure methods such as OpenID Connect (OIDC), which mitigates the privilege escalation vector. Implement strict validation and sanitization of HTTP headers like 'Remote-User' and 'X-WebAuth-User' at the proxy or application level to prevent header spoofing. Monitoring and logging of unusual access patterns or header manipulations should be enhanced to detect potential exploitation attempts. Network segmentation should be enforced to limit the ability of an attacker to reach internal services via SSRF. Finally, conduct security awareness and training for administrators to recognize and respond to SSRF-related threats and ensure that CSRF tokens and other security tokens are handled securely to prevent scraping or leakage.