GHSA-wqv2-4wpg-8hc9: Miniflux has an Open Redirect via protocol-relative redirect_url

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-67713

Miniflux has an Open Redirect via protocol-relative redirect_url

Low severity GitHub Reviewed Published Dec 10, 2025 in miniflux/v2 • Updated Dec 10, 2025

Package

gomod miniflux.app/v2 (Go)

Affected versions

<= 2.2.14

Summary

redirect_url is treated as safe when url.Parse(…).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.

Details

• url.Parse(“//ikotaslabs.com”) => empty Scheme, Host="ikotaslabs.com".
• IsAbs() returns false for //ikotaslabs.com, so the code treats it as allowed.
• Browser resolves //ikotaslabs.com to current-origin scheme (e.g. https://ikotaslabs.com), enabling phishing flows after login.

PoC

1. Send or visit: http://localhost/login?redirect_url=//ikotaslabs.com
2. Complete normal login flow.
3. After login the app redirects to https://ikotaslabs.com (or http:// depending on origin).

Acknowledgements

This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan.

References

• GHSA-wqv2-4wpg-8hc9
• miniflux/v2@76df99f

Published to the GitHub Advisory Database

Dec 10, 2025

Last updated

Dec 10, 2025