Medium severityOSV Advisory· Published Apr 3, 2025· Updated Apr 15, 2026
CVE-2025-31483
CVE-2025-31483
Description
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miniflux.app/v2Go | < 2.2.7 | 2.2.7 |
Affected products
1Patches
2f99dff523848cb695e653a08fix(security): use a more restrictive CSP for untrusted content
4 files changed · +18 −4
internal/http/response/html/html.go+2 −2 modified@@ -37,7 +37,7 @@ func ServerError(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusInternalServerError) - builder.WithHeader("Content-Security-Policy", `sandbox`) + builder.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err) @@ -61,7 +61,7 @@ func BadRequest(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusBadRequest) - builder.WithHeader("Content-Security-Policy", `sandbox`) + builder.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err)
internal/http/response/response.go+14 −0 added@@ -0,0 +1,14 @@ +// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 + +package response // import "miniflux.app/v2/internal/http/response" + +// ContentSecurityPolicyForUntrustedContent is the default CSP for untrusted content. +// default-src 'none' disables all content sources +// form-action 'none' disables all form submissions +// sandbox enables a sandbox for the requested resource +// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action +// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox +// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src +const ContentSecurityPolicyForUntrustedContent = `default-src 'none'; form-action 'none'; sandbox;`
internal/ui/feed_icon.go+1 −1 modified@@ -26,7 +26,7 @@ func (h *handler) showFeedIcon(w http.ResponseWriter, r *http.Request) { } response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) { - b.WithHeader("Content-Security-Policy", `sandbox`) + b.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent) b.WithHeader("Content-Type", icon.MimeType) b.WithBody(icon.Content) if icon.MimeType != "image/svg+xml" {
internal/ui/proxy.go+1 −1 modified@@ -144,7 +144,7 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) { response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) { b.WithStatus(resp.StatusCode) - b.WithHeader("Content-Security-Policy", `sandbox`) + b.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent) b.WithHeader("Content-Type", resp.Header.Get("Content-Type")) if filename := path.Base(parsedMediaURL.Path); filename != "" {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.