CVE-2025-67713

Publication date 12 December 2025

Last updated 12 December 2025

Ubuntu priority

Description

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
miniflux	25.10 questing	Needs evaluation
	25.04 plucky	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-67713
https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9
https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7