CVE-2025-31483
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-31483
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31483.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-31483
- Aliases
- Downstream
- Related
- Published
- 2025-04-03T18:07:32.241Z
- Modified
- 2025-12-05T08:54:35.157550Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Stored XSS in Miniflux Media Proxy due to improper Content-Security-Policy configuration
- Details
-
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31483.json" }- References
Affected packages
Git / github.com/miniflux/v2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/miniflux/v2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0.0
2.0.0-rc1
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.3
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.4
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.5
2.0.50
2.0.51
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
v1.*
v1.0.46
v2.*
v2.0.46
v2.0.47
v2.0.48
v2.0.49
v2.0.51
v2.1.1
v2.1.2
v2.2.0
v2.2.3