CVE-2025-67713 — Vulnetix

CVE-2025-67713 PUBLISHED CVSS 5.300000190734863 MEDIUM

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

EPSS 0.04% · 14.3th percentile

Risk Scores

CVSS v4.0

5.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS Score

0.04%

14.3th percentile

Affected Products

Vendor	Product	Versions
miniflux.app	v2	0
miniflux	v2	< 2.2.15
miniflux_project	miniflux	0

Timeline

Dec 10, 2025 CVE Published
Dec 11, 2025 EPSS Score
Dec 11, 2025 PoC Published
Dec 15, 2025 EPSS Score
Dec 19, 2025 EPSS Score
Dec 23, 2025 EPSS Score
Dec 27, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 5, 2026 EPSS Score
Jan 9, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 17, 2026 EPSS Score

References

https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9 url
https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7 url
https://nvd.nist.gov/vuln/detail/CVE-2025-67713 advisory
https://github.com/miniflux/v2 package

Open in Interactive Console →