FreshRSS Denial-of-Service Vulnerability via Proxy-Modified Retry-After Header

A denial-of-service vulnerability has been identified in FreshRSS, an open-source RSS aggregator, affecting versions 1.27.0 prior to 1.28.0. The issue arises when a proxy alters the `Retry-After` header to `429 Too Many Requests` for multiple feeds, disrupting access and usability for most users. This manipulation can block significant feeds, such as those from YouTube, Reddit, and Medium, making the application largely ineffective.

Impact

Exploitation of this vulnerability can lead to a noticeable degradation of the application's performance, causing widespread disruption for users by blocking access to essential feeds.

Reproduction

To reproduce this vulnerability, subscribe to a feed, such as the Bleeping Computer feed, and set your proxy to disable SSL verification. Allow a timeout of 900 seconds to manually adjust the response in Burp Suite. Change the response to `HTTP/2 429 Too Many Requests` and include a `Retry-After` header indicating a delay of 10,000 seconds. This will prevent the feed from being added, and the issue can be repeated once the `Retry-After` period expires.

Remediation

Users can update to FreshRSS version 1.28.0, where this vulnerability has been patched.