4.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-31483

GHSA ID

GHSA-cq88-842x-2jhp

EPSS Score

0.21859%

CWE

CWE-79

Published

4/4/2025

Updated

4/4/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31483

CVE-2025-31483: Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary

Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window.

Impact

A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser when opening external resources, such as proxified images, in a new tab or window.

Mitigation

The CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;.

Upgrade to Miniflux >= 2.2.7

Credit

RyotaK (GMO Flatt Security Inc.) with takumi-san.ai

(GitHub Advisory)

4.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-31483

GHSA ID

GHSA-cq88-842x-2jhp

EPSS Score

0.21859%

CWE

CWE-79

Published

4/4/2025

Updated

4/4/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflux.app/v2	go	< 2.2.7	2.2.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focused on functions directly modified by the patch. The mediaProxy function is directly related to the vulnerability as it handles the /proxy/* route. Other functions were modified to enhance security by using a more restrictive CSP.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry *u* to * w**k *ont*nt S**urity Poli*y on t** `/proxy/*` rout*, *n *tt**k*r **n *yp*ss t** *SP o* t** m**i* proxy *n* *x**ut* *ross-sit* s*riptin* w**n op*nin* *xt*rn*l im***s in * n*w t**/win*ow. ## Imp**t * m*li*ious **** ***** to Mini

Reasoning

T** *n*lysis *o*us** on *un*tions *ir**tly mo*i*i** *y t** p*t**. T** `m**i*Proxy` *un*tion is *ir**tly r*l*t** to t** vuln*r**ility *s it **n*l*s t** /proxy/* rout*. Ot**r *un*tions w*r* mo*i*i** to *n**n** s**urity *y usin* * mor* r*stri*tiv* *SP.

4.8

Basic Information

Concerned about an active attack path?

CVE-2025-31483: Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Summary

Impact

Mitigation

Credit

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI