N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67713

CVE-2025-67713: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

redirect_url is treated as safe when url.Parse(...).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.

Details

url.Parse("//ikotaslabs.com") => empty Scheme, Host="ikotaslabs.com".
IsAbs() returns false for //ikotaslabs.com, so the code treats it as allowed.
Browser resolves //ikotaslabs.com to current-origin scheme (e.g. https://ikotaslabs.com), enabling phishing flows after login.

PoC

Send or visit: http://localhost/login?redirect_url=//ikotaslabs.com
Complete normal login flow.
After login the app redirects to https://ikotaslabs.com (or http:// depending on origin).

Acknowledgements

This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67713

CVE-2025-67713:

N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflux.app/v2	go	<= 2.2.14	2.2.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch commit 76df99f3a3db234cf6b312be5e771485213d03c7 clearly indicates that the vulnerability was located in the checkLogin function within the internal/ui/login_check.go file. The vulnerability is an open redirect, caused by improper validation of the redirect_url parameter. The original code used url.Parse(...).IsAbs() to determine if a URL was local. However, this check failed to account for protocol-relative URLs (e.g., //attacker.com), which are not absolute but cause the browser to redirect to an external site. The patch rectifies this by introducing a new, more stringent validation function, urllib.IsRelativePath, and applying it within handler.checkLogin. Therefore, handler.checkLogin is the function that processes the malicious input and contains the vulnerable logic.

Vulnerable functions

handler.checkLogin

internal/ui/login_check.go

The `checkLogin` function handles the post-login redirection. The vulnerability existed in its validation of the `redirect_url` parameter. The original code checked if a parsed URL was not absolute (`!parsedURL.IsAbs()`). This check is insufficient because protocol-relative URLs like `//example.com` are not considered absolute but are resolved by the browser to an external domain, leading to an open redirect. The patch replaces this flawed check with a stricter `urllib.IsRelativePath` function that correctly identifies and disallows such URLs.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67713: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

Details

PoC

Acknowledgements

CVE-2025-67713:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Basic Information

Basic Information

CVE-2025-67713: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

Details

PoC

Acknowledgements

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI