CVE-2025-67713 is a medium severity open redirect vulnerability affecting Miniflux v2 feed reader versions 2.2.14 and below. The vulnerability stems from improper validation of the redirect_url parameter. Miniflux uses url.Parse(...).IsAbs() to determine if a URL is absolute and safe for redirection. However, protocol-relative URLs such as //ikotaslabs.com have an empty scheme and thus pass the IsAbs() check as false, causing the application to treat them as safe internal redirects. This allows an attacker to craft URLs that redirect authenticated users to attacker-controlled domains after login, facilitating phishing attacks by exploiting user trust post-authentication. The vulnerability does not require any privileges or authentication to exploit but does require user interaction, such as clicking a malicious link. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges, user interaction required, and limited confidentiality and integrity impact. No known exploits have been reported in the wild as of publication. The issue was fixed in Miniflux version 2.2.15 by properly validating redirect URLs to prevent protocol-relative URLs from being treated as safe. Organizations using Miniflux should upgrade to 2.2.15 or later to remediate this vulnerability.

For European organizations, this vulnerability poses a moderate phishing risk. Since Miniflux is an open source feed reader used by individuals and organizations for aggregating news and information, attackers can exploit this flaw to redirect users to malicious websites after login, potentially leading to credential theft, malware delivery, or further social engineering attacks. The impact on confidentiality and integrity is limited to the phishing vector, but user trust and organizational security posture may be compromised. Availability is not affected. Organizations relying on Miniflux for internal or external communications could see increased phishing attempts targeting their users. This is particularly concerning for sectors with high sensitivity to phishing such as finance, government, and critical infrastructure. The lack of required privileges lowers the barrier to exploitation, increasing risk. However, the requirement for user interaction and no known active exploits somewhat limit immediate widespread impact.

1. Upgrade Miniflux to version 2.2.15 or later immediately to apply the official fix that properly validates redirect URLs and blocks protocol-relative URLs. 2. Implement web application firewall (WAF) rules to detect and block suspicious redirect URLs containing protocol-relative patterns (e.g., URLs starting with //). 3. Educate users about phishing risks, especially regarding unexpected redirects after login and the importance of verifying URLs before interacting. 4. Monitor logs for unusual redirect URL parameters or spikes in redirect-related errors. 5. If upgrading is delayed, consider disabling or restricting redirect functionality in Miniflux configuration if possible. 6. Employ multi-factor authentication (MFA) to reduce the impact of credential theft from phishing. 7. Use browser security features or extensions that warn users about suspicious redirects or untrusted domains. 8. Conduct phishing simulations to raise awareness and test user response to redirect-based phishing attempts.