{"id":"CVE-2025-68148","summary":"FreshRSS globally denies access to feed via proxy modifying to 429 Retry-After","details":"FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.","aliases":["GHSA-qw34-frg7-gf78"],"modified":"2026-04-02T13:03:40.611245Z","published":"2025-12-26T23:46:53.337Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68148.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-770"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68148.json"},{"type":"ADVISORY","url":"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68148"},{"type":"FIX","url":"https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3"},{"type":"FIX","url":"https://github.com/FreshRSS/FreshRSS/pull/8029"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freshrss/freshrss","events":[{"introduced":"66e2f00223b915c337291c0f34876d6390fb1c80"},{"fixed":"fdd82820f16733b6e07def5b590fd94879e5a520"}]}],"versions":["1.27.0","1.27.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68148.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}