Moderate severityNVD Advisory· Published Dec 11, 2025· Updated Dec 11, 2025
Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`
CVE-2025-67713
Description
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miniflux.app/v2Go | < 2.2.15 | 2.2.15 |
Affected products
3- ghsa-coords2 versions
< 2.2.15+ 1 more
- (no CPE)range: < 2.2.15
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-wqv2-4wpg-8hc9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67713ghsaADVISORY
- github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7ghsax_refsource_MISCWEB
- github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.