High severityNVD Advisory· Published Mar 17, 2023· Updated Feb 25, 2025
Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics
CVE-2023-27591
Description
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default). A patch is available in Miniflux 2.0.43. As a workaround, set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miniflux.app/v2Go | < 2.0.43 | 2.0.43 |
miniflux.appGo | <= 1.0.46 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-3qjf-qh38-x73vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27591ghsaADVISORY
- github.com/miniflux/v2/pull/1745ghsax_refsource_MISCWEB
- github.com/miniflux/v2/releases/tag/2.0.43ghsax_refsource_MISCWEB
- github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73vghsax_refsource_CONFIRMWEB
- miniflux.app/docs/configuration.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.