4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27592

GHSA ID

GHSA-mqqg-xjhj-wfgw

EPSS Score

0.57526%

CWE

CWE-79

Published

4/2/2025

Updated

4/2/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27592

CVE-2023-27592: Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Impact

Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors.

When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses.

By creating an RSS feed item with the inline description containing an <img> tag with a srcset attribute pointing to an invalid URL like http:a<script>alert(1)</script>, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image.

An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator.

Patches

PR #1746 fixes the problem. Available in Miniflux >= 2.0.43.

Workarounds

Disable image proxy (default value is http-only).

References

https://miniflux.app/docs/configuration.html#proxy-images

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27592

GHSA ID

GHSA-mqqg-xjhj-wfgw

EPSS Score

0.57526%

CWE

CWE-79

Published

4/2/2025

Updated

4/2/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflux.app/v2	go	>= 2.0.25, < 2.0.43	2.0.43

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain involves two key functions:

mediaProxy handler in ui/proxy.go triggers XSS by passing user-controlled error messages from failed image fetches to ServerError
ServerError in http/response/html/html.go directly outputs unescaped error content without security headers, enabling script execution Patch changes show:

mediaProxy stopped using ServerError for error responses
ServerError gained CSP headers to mitigate XSS Runtime detection would see both functions in call stack when processing malicious image requests

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sin** [v*.*.**](*ttps://*it*u*.*om/mini*lux/v*/r*l**s*s/t**/*.*.**), Mini*lux will *utom*ti**lly [proxy](*ttps://mini*lux.*pp/*o*s/*on*i*ur*tion.*tml#proxy-im***s) im***s s*rv** ov*r *TTP to pr*v*nt mix** *ont*nt *rrors. W**n *n out*oun*

Reasoning

T** vuln*r**ility ***in involv*s two k*y *un*tions: *. m**i*Proxy **n*l*r in ui/proxy.*o tri***rs XSS *y p*ssin* us*r-*ontroll** *rror m*ss***s *rom **il** im*** **t***s to S*rv*r*rror *. S*rv*r*rror in *ttp/r*spons*/*tml/*tml.*o *ir**tly outputs un*

4.8

Basic Information

Concerned about an active attack path?

CVE-2023-27592: Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Impact

Patches

Workarounds

References

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI