CVE-2025-46339

Published: Jun 4, 2025

Modified: Jun 4, 2025

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue.

Vendor	Product	Versions
FreshRSS	FreshRSS	affected `< 1.26.2`

Weaknesses (CWE)

CWE-349

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4

x_refsource_CONFIRM

https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-46339

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References