GHSA-WQV2-4WPG-8HC9

Vulnerability from github – Published: 2025-12-10 17:18 – Updated: 2025-12-16 23:20
VLAI?
Summary
Miniflux has an Open Redirect via protocol-relative redirect_url
Details

Summary

redirect_url is treated as safe when url.Parse(...).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.

Details

  • url.Parse("//ikotaslabs.com") => empty Scheme, Host="ikotaslabs.com".
  • IsAbs() returns false for //ikotaslabs.com, so the code treats it as allowed.
  • Browser resolves //ikotaslabs.com to current-origin scheme (e.g. https://ikotaslabs.com), enabling phishing flows after login.

PoC

  1. Send or visit: http://localhost/login?redirect_url=//ikotaslabs.com
  2. Complete normal login flow.
  3. After login the app redirects to https://ikotaslabs.com (or http:// depending on origin).

Acknowledgements

This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML. The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業), implemented by the Information-technology Promotion Agency (IPA), Japan.

Severity ?
0.0 (None)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.14"
      },
      "package": {
        "ecosystem": "Go",
        "name": "miniflux.app/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-10T17:18:37Z",
    "nvd_published_at": "2025-12-11T01:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n`redirect_url` is treated as safe when `url.Parse(...).IsAbs()` is false. Protocol-relative URLs like `//ikotaslabs.com` have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.\n\n### Details\n- `url.Parse(\"//ikotaslabs.com\")` =\u003e empty Scheme, Host=\"ikotaslabs.com\".\n- `IsAbs()` returns false for `//ikotaslabs.com`, so the code treats it as allowed.\n- Browser resolves `//ikotaslabs.com` to current-origin scheme (e.g. `https://ikotaslabs.com`), enabling phishing flows after login.\n\n### PoC\n1. Send or visit: `http://localhost/login?redirect_url=//ikotaslabs.com`  \n2. Complete normal login flow.  \n3. After login the app redirects to `https://ikotaslabs.com` (or `http://` depending on origin).\n\n### Acknowledgements  \nThis vulnerability was discovered using the automated vulnerability analysis tools **VulScribe** and **PwnML**.   The research and tool development were conducted  with support from the **MITOU Advanced Program (\u672a\u8e0f\u30a2\u30c9\u30d0\u30f3\u30b9\u30c8\u4e8b\u696d)**, implemented by the **Information-technology Promotion Agency (IPA), Japan**.",
  "id": "GHSA-wqv2-4wpg-8hc9",
  "modified": "2025-12-16T23:20:51Z",
  "published": "2025-12-10T17:18:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/miniflux/v2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Miniflux has an Open Redirect via protocol-relative redirect_url"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.