GHSA-wqv2-4wpg-8hc9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wqv2-4wpg-8hc9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-wqv2-4wpg-8hc9/GHSA-wqv2-4wpg-8hc9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wqv2-4wpg-8hc9
- Aliases
- Published
- 2025-12-10T17:18:37Z
- Modified
- 2025-12-11T16:20:46.845887Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Miniflux has an Open Redirect via protocol-relative redirect_url
- Details
-
Summary
redirect_urlis treated as safe whenurl.Parse(...).IsAbs()is false. Protocol-relative URLs like//ikotaslabs.comhave an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.Details
url.Parse("//ikotaslabs.com")=> empty Scheme, Host="ikotaslabs.com".IsAbs()returns false for//ikotaslabs.com, so the code treats it as allowed.- Browser resolves
//ikotaslabs.comto current-origin scheme (e.g.https://ikotaslabs.com), enabling phishing flows after login.
PoC
- Send or visit:
http://localhost/login?redirect_url=//ikotaslabs.com - Complete normal login flow.
- After login the app redirects to
https://ikotaslabs.com(orhttp://depending on origin).
Acknowledgements
This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan. - Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-12-11T01:16:00Z", "github_reviewed_at": "2025-12-10T17:18:37Z", "severity": "MODERATE", "cwe_ids": [ "CWE-601" ] }- References
Affected packages
Go / miniflux.app/v2
Package
- Name
- miniflux.app/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/miniflux.app/v2