VYPR
Moderate severityNVD Advisory· Published Dec 11, 2025· Updated Dec 11, 2025

Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`

CVE-2025-67713

Description

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
miniflux.app/v2Go
< 2.2.152.2.15

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.