CVE-2025-67713
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-67713
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67713.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67713
- Aliases
- Downstream
- Published
- 2025-12-11T00:17:00.282Z
- Modified
- 2025-12-15T20:56:09.486412Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`
- Details
-
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67713.json", "cwe_ids": [ "CWE-601" ] }- References
Affected packages
Git / github.com/miniflux/v2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/miniflux/v2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0.0
2.0.0-rc1
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.3
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.4
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.5
2.0.50
2.0.51
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
v1.*
v1.0.46
v2.*
v2.0.46
v2.0.47
v2.0.48
v2.0.49
v2.0.51
v2.1.1
v2.1.2
v2.2.0
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.3
v2.2.7
v2.2.8