N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wqv2-4wpg-8hc9

GHSA-wqv2-4wpg-8hc9: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

redirect_url is treated as safe when url.Parse(...).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.

Details

url.Parse("//ikotaslabs.com") => empty Scheme, Host="ikotaslabs.com".
IsAbs() returns false for //ikotaslabs.com, so the code treats it as allowed.
Browser resolves //ikotaslabs.com to current-origin scheme (e.g. https://ikotaslabs.com), enabling phishing flows after login.

PoC

Send or visit: http://localhost/login?redirect_url=//ikotaslabs.com
Complete normal login flow.
After login the app redirects to https://ikotaslabs.com (or http:// depending on origin).

Acknowledgements

This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-wqv2-4wpg-8hc9

GHSA-wqv2-4wpg-8hc9:

N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflux.app/v2	go	<= 2.2.14	2.2.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch (commit 76df99f3a3db234cf6b312be5e771485213d03c7) clearly indicates that the vulnerability is located in the checkLogin function within the internal/ui/login_check.go file. The vulnerability is an Open Redirect, caused by improper validation of the redirect_url parameter. The original code used !parsedURL.IsAbs() to determine if a URL was relative and safe for redirection. However, this check fails to account for protocol-relative URLs like //example.com, which pass the !IsAbs() check but are treated as absolute URLs by browsers, thus redirecting the user to an external, potentially malicious, site. The patch replaces this flawed logic with a new, stricter function, urllib.IsRelativePath, which correctly identifies and disallows such URLs by checking if both the scheme and host are empty. The vulnerable function is handler.checkLogin as it is the entry point that handles the user-supplied redirect_url and performs the unsafe redirect.

Vulnerable functions

handler.checkLogin

internal/ui/login_check.go

The `checkLogin` function processes the `redirect_url` parameter from the login request. Before the patch, it used `url.Parse(redirectURL).IsAbs()` to validate the URL. This check was insufficient because protocol-relative URLs (e.g., `//example.com`) are not considered absolute by this function, but are resolved to absolute URLs by the browser. This allowed an attacker to craft a malicious login link that would redirect the user to an external site after a successful login.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-wqv2-4wpg-8hc9: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

Details

PoC

Acknowledgements

GHSA-wqv2-4wpg-8hc9:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Technical Details

GHSA-wqv2-4wpg-8hc9: Miniflux has an Open Redirect via protocol-relative redirect_url

Summary

Details

PoC

Acknowledgements

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI