Source: miniflux Version: 2.2.13-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for miniflux. CVE-2025-67713[0]: | Miniflux 2 is an open source feed reader. Versions 2.2.14 and below | treat redirect_url as safe when url.Parse(...).IsAbs() is false, | enabling phishing flows after login. Protocol-relative URLs like | //ikotaslabs.com have an empty scheme and pass that check, allowing | post-login redirects to attacker-controlled sites. This issue is | fixed in version 2.2.15. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67713 https://www.cve.org/CVERecord?id=CVE-2025-67713 [1] https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9 [2] https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
