CVE-2025-46339

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4

Configurations

No configuration.

History

05 Jun 2025, 20:12

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-04 20:15

Updated : 2025-06-05 20:12

NVD link : CVE-2025-46339

Mitre link : CVE-2025-46339

CVE.ORG link : CVE-2025-46339

JSON object : View

Products Affected

No product.

CWE

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

{"id": "CVE-2025-46339", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-06-04T20:15:23.817", "references": [{"url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "source": "security-advisories@github.com"}, {"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-349"}]}], "descriptions": [{"lang": "en", "value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."}, {"lang": "es", "value": "FreshRSS es un agregador de feeds RSS autoalojado. Antes de la versi\u00f3n 1.26.2, era posible envenenar los faviconos de un feed a\u00f1adiendo una URL como feed con un proxy configurado como uno controlado por el atacante y con la verificaci\u00f3n SSL deshabilitada. El hash del favicon se calcula mediante el hash de la URL del feed y la sal, sin incluir las siguientes variables: direcci\u00f3n del proxy, protocolo del proxy y si se debe verificar SSL. Por lo tanto, es posible envenenar el favicon de un feed simplemente interceptando la respuesta del feed y cambiando la URL del sitio web a una donde un atacante controle el favicon del feed. Cualquiera puede reemplazar los faviconos del feed para todos los usuarios. La versi\u00f3n 1.26.2 soluciona este problema."}], "lastModified": "2025-06-05T20:12:23.777", "sourceIdentifier": "security-advisories@github.com"}