CVE-2025-67713Open Redirect in V2

CWE-601Open Redirect7 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 79.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Miniflux V2Miniflux Project MinifluxMiniflux.app V2+1 more
Timeline
PublishedDec 11
Latest updateDec 15

Description

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

CVEListV5miniflux/v2< 2.2.15
Gominiflux.app/v2< 2.2.15
debiandebian/miniflux< miniflux 2.2.16-1 (forky)
Debianminiflux_project/miniflux< 2.2.16-1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Miniflux has an Open Redirect via protocol-relative redirect_url in miniflux.app2025-12-15
OSV
CVE-2025-67713: Miniflux 2 is an open source feed reader2025-12-11
GHSA
Miniflux has an Open Redirect via protocol-relative redirect_url2025-12-10
OSV
Miniflux has an Open Redirect via protocol-relative redirect_url2025-12-10

📋Vendor Advisories

1
Debian
CVE-2025-67713: miniflux - Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redire...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-67713 Impact, Exploitability, and Mitigation Steps | Wiz