CVE-2025-67713 MEDIUM

CVE-2025-67713: Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`

Vendor Miniflux

Product v2

Weakness CWE-601 · Open redirect

Published December 11, 2025

Last update December 11, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

Key dates

02Disclosure timeline

December 11, 2025 CVE published

December 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-67713

Related vulnerabilities

CVE-2025-67713: Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`

01Description

02Disclosure timeline

03References

04Related CVE