Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Privilege escalation via SSRF when using HTTP auth

High
Alkarex published GHSA-w3m8-wcf4-h8vm Jun 3, 2025

Package

No package listed

Affected versions

<=1.26.1

Patched versions

1.26.2

Description

Summary

When the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping

Details

The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance.
An example server configuration that is vulnerable to the attack is running Authentik where the Proxy provider is being used, with the Remote-User or X-WebAuth-User header being passed to the FreshRSS instance.
Note that the IP address under which the FreshRSS instance is running must be included in the TRUSTED_PROXY environment variable.
This happens when both Authentik and FreshRSS are running under Docker.

PoC

Let's say that the proxy is running under the http://192.168.91.132:80 URL, and the FreshRSS instance is at http://192.168.91.132:8080
An external attacker wouldn't be able to spoof the Remote-User header from their IP address, because it is not included in the TRUSTED_PROXY environment variable.
However, the FreshRSS instance IP address is, so those are the following steps that have to be taken:

First, let's obtain the CSRF token as such, assuming that the admin user is akadmin:
(xpath is //*[@id="mark-read-aside"]/input/@value)

request1

Now, this is what we'll see in our feed if we haven't gotten an error:

response1

Now, all we have to do is promote ourselves using the CSRF token:
used URL is http://192.168.91.132:8080/i/?c=user&a=manage&username=example and xpath is //*[@id="dialogMsg"]
POST body is _csrf=[token]&action=promote

request2

We'll observe that we're admin now after sending the request:

response2
dropdown-menu

Impact

An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

CVE ID

CVE-2025-46341

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits