{"id":"CVE-2025-68402","summary":"FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]","details":"FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.","aliases":["GHSA-pcq9-mq6m-mvmp"],"modified":"2026-04-10T05:35:06.450175Z","published":"2026-03-09T19:41:57.974Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68402.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-287"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68402.json"},{"type":"ADVISORY","url":"https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-pcq9-mq6m-mvmp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68402"},{"type":"FIX","url":"https://github.com/FreshRSS/FreshRSS/commit/476e57b04646416e24e24c56133c9fadf9e52b95"},{"type":"FIX","url":"https://github.com/FreshRSS/FreshRSS/pull/8061"},{"type":"FIX","url":"https://github.com/FreshRSS/FreshRSS/pull/8320"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freshrss/freshrss","events":[{"introduced":"0"},{"fixed":"476e57b04646416e24e24c56133c9fadf9e52b95"}]}],"versions":["0.1.0","0.5.0","0.6.0","0.6.1","0.7.0","0.7.1","0.8.0","0.8.1","1.0.0","1.10.0","1.10.1","1.10.2","1.11.0","1.11.1","1.11.2","1.12.0","1.13.0","1.13.1","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.16.0","1.16.1","1.16.2","1.17.0","1.18.0","1.18.1","1.19.0","1.19.1","1.19.2","1.2.0","1.20.0","1.20.1","1.21.0","1.22.0","1.22.1","1.23.0","1.23.1","1.24.0","1.24.1","1.24.2","1.24.3","1.25.0","1.26.0","1.26.1","1.26.2","1.26.3","1.27.0","1.27.1","1.4.0","1.5.0","1.6.0","1.6.1","1.6.2","1.6.3","1.7.0","1.8.0","1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68402.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}