Miniflux v2, an open-source feed reader, contains a URL redirection vulnerability identified as CVE-2025-67713 (CWE-601) affecting versions 2.2.14 and below. The vulnerability stems from improper validation of the 'redirect_url' parameter. Specifically, the application uses url.Parse(...).IsAbs() to determine if a URL is absolute; however, protocol-relative URLs (those starting with //) have an empty scheme and thus pass this check erroneously. This allows attackers to craft URLs that redirect authenticated users to attacker-controlled domains after login, facilitating phishing or social engineering attacks. The vulnerability does not require authentication or privileges and can be triggered via user interaction (clicking a crafted link). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and limited confidentiality and integrity impact. No known exploits have been reported in the wild as of publication. The issue was resolved in Miniflux v2.2.15 by properly validating redirect URLs to prevent protocol-relative URLs from bypassing checks.

For European organizations using Miniflux v2 versions prior to 2.2.15, this vulnerability poses a moderate risk primarily related to phishing attacks. Attackers can exploit the open redirect to redirect authenticated users to malicious websites, potentially leading to credential theft, malware delivery, or further social engineering. While the vulnerability does not directly compromise system integrity or availability, the resulting phishing could lead to broader security incidents including unauthorized access or data breaches. Organizations relying on Miniflux for internal or external feed reading services may see reputational damage if users are targeted via this vector. The impact is heightened in sectors with sensitive information or regulatory requirements such as finance, healthcare, and government within Europe.

European organizations should immediately upgrade Miniflux to version 2.2.15 or later, where the vulnerability is fixed. Until upgrade, administrators should consider disabling or restricting the use of redirect URLs in login flows or implement additional validation layers to reject protocol-relative URLs. User awareness training should emphasize caution with unexpected redirects, especially post-login. Monitoring web server logs for unusual redirect patterns can help detect exploitation attempts. Additionally, implementing web application firewalls (WAFs) with rules to block suspicious redirect parameters can provide temporary protection. Organizations should also review their phishing detection and response capabilities to mitigate potential social engineering attacks leveraging this vulnerability.