Medium severityOSV Advisory· Published Apr 3, 2025· Updated Apr 15, 2026
CVE-2025-31483
CVE-2025-31483
Description
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miniflux.app/v2Go | < 2.2.7 | 2.2.7 |
Affected products
3- ghsa-coords2 versions
< 2.2.7+ 1 more
- (no CPE)range: < 2.2.7
- (no CPE)range: < 0.0.20250409T170536-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.