greprules.io
Sign inSubmit rule
Explore/cve-2025-54875-freshrss-unprotected-new-user-is-admin-param

CVE-2025-54875: Freshrss Unprotected New User Is Admin Param

The privilege-elevating request parameter 'new_user_is_admin' is read without first checking that the caller has admin privileges. Because the same createAction() endpoint is reachable from the public registration flow, an unauthenticated attacker can submit this hidden parameter and self-register as an administrator (CVE-2025-54875 / CWE-284). Gate the read

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0php
greprules fetch cve-2025-54875-freshrss-unprotected-new-user-is-admin-param --engine opengrep

Description

The privilege-elevating request parameter 'new_user_is_admin' is read without first checking that the caller has admin privileges. Because the same createAction() endpoint is reachable from the public registration flow, an unauthenticated attacker can submit this hidden parameter and self-register as an administrator (CVE-2025-54875 / CWE-284). Gate the read

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
108 downloads0 direct108 via packs
· 0 stars · Trust score 95How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata