7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27591

GHSA ID

GHSA-3qjf-qh38-x73v

EPSS Score

0.4194%

CWE

CWE-200

Published

4/2/2025

Updated

4/2/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27591

CVE-2023-27591: Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Impact

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Patches

PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.

Workarounds

Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

References

https://miniflux.app/docs/configuration.html#metrics-collector
https://miniflux.app/docs/configuration.html#metrics-allowed-networks

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27591

GHSA ID

GHSA-3qjf-qh38-x73v

EPSS Score

0.4194%

CWE

CWE-200

Published

4/2/2025

Updated

4/2/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflux.app/v2	go	<= 2.0.42	2.0.43
miniflux.app	go	<= 1.0.46

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using client-controlled headers (X-Forwarded-For/X-Real-Ip) for access control checks in the metrics endpoint. The key vulnerable function is isAllowedToAccessMetricsEndpoint which performed the network containment check using the spoofable ClientIP value. FindClientIP is included as it provided the untrusted input. The patch moved to using FindRemoteIP (based on r.RemoteAddr) which can't be spoofed, confirming the original implementation's weakness. During exploitation, these functions would appear in call stacks when processing unauthorized metrics endpoint requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n un*ut**nti**t** us*r **n r*tri*v* Prom*t**us m*tri*s *rom * pu*li*ly r******l* Mini*lux inst*n** w**r* t** `M*TRI*S_*OLL**TOR` [*on*i*ur*tion option](*ttps://mini*lux.*pp/*o*s/*on*i*ur*tion.*tml#m*tri*s-*oll**tor) is *n**l** *n* `M*TRI

Reasoning

T** vuln*r**ility st*mm** *rom usin* *li*nt-*ontroll** *****rs (X-*orw*r***-*or/X-R**l-Ip) *or ****ss *ontrol ****ks in t** m*tri*s *n*point. T** k*y vuln*r**l* *un*tion is `is*llow**To****ssM*tri*s*n*point` w*i** p*r*orm** t** n*twork *ont*inm*nt **

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-27591: Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI