Advisories for Golang/Miniflux.app/V2 package

The URL restrictions in miniflux-v2 can be bypassed by attackers, leading to an open redirect vulnerability.

Miniflux's media proxy endpoint (GET /proxy/{encodedDigest}/{encodedURL}) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting /proxy/… URL makes Miniflux fetch and return the internal response.

redirect_url is treated as safe when url.Parse(…).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.

This advisory duplicates another.

Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window.

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors.