CVE-2025-67713

Name	CVE-2025-67713
Description	Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1122583

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
miniflux (PTS)	trixie	2.2.6-1	vulnerable
	forky, sid	2.2.13-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
miniflux	source	(unstable)	(unfixed)			1122583

Notes

https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9
Fixed by: https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7 (2.2.15)