CVE-2025-46339 is a medium-severity vulnerability affecting FreshRSS, a self-hosted RSS feed aggregator, in versions prior to 1.26.2. The vulnerability arises from improper handling of feed favicon URLs when a proxy is used with SSL verification disabled. Specifically, the favicon hash computation only includes the feed URL and a salt but omits critical variables such as the proxy address, proxy protocol, and SSL verification status. This omission allows an attacker who can intercept or control the proxy response to poison the favicon of any feed by substituting the favicon URL with one under their control. Consequently, all users of the affected FreshRSS instance can have their feed favicons replaced with malicious or misleading icons. While this does not directly compromise confidentiality or availability, it impacts integrity by allowing unauthorized modification of displayed feed icons, potentially facilitating phishing or social engineering attacks by misleading users about the source or authenticity of feeds. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N) and can be exploited remotely over the network (AV:N). The issue was addressed in FreshRSS version 1.26.2 by including the missing proxy-related variables in the favicon hash computation, preventing favicon poisoning via proxy manipulation.

For European organizations using FreshRSS to aggregate RSS feeds internally or publicly, this vulnerability could undermine trust in feed content presentation by allowing attackers to spoof favicons. Although the core feed content is not directly altered, favicon poisoning can be leveraged in targeted phishing campaigns or misinformation efforts by visually associating malicious feeds with trusted sources. This may lead to decreased user confidence, potential exposure to malicious links if users are deceived, and reputational damage. Organizations relying on FreshRSS for critical information dissemination or monitoring could face operational disruptions if users ignore or mistrust feed updates due to altered favicons. However, since the vulnerability does not allow direct code execution or data exfiltration, the impact is primarily on integrity and user perception rather than confidentiality or availability.

European organizations should promptly upgrade all FreshRSS instances to version 1.26.2 or later to ensure the favicon hash computation includes proxy parameters, eliminating the favicon poisoning vector. Additionally, organizations should enforce strict proxy configurations with SSL verification enabled to prevent interception or manipulation of feed responses. Network-level protections such as TLS inspection and proxy hardening can reduce the risk of man-in-the-middle attacks. Monitoring feed favicon changes and implementing alerting on unexpected favicon modifications can help detect exploitation attempts. Where feasible, restricting feed sources to trusted domains and validating feed content integrity can further mitigate risks. Finally, educating users about the potential for favicon spoofing and encouraging vigilance when interacting with feed content can reduce social engineering risks.