GHSA-mqqg-xjhj-wfgw: XSS
First published: Wed Apr 02 2025(Updated: )
### Impact Since [v2.0.25](https://github.com/miniflux/v2/releases/tag/2.0.25), Miniflux will automatically [proxy](https://miniflux.app/docs/configuration.html#proxy-images) images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is [returned](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76) unescaped without the expected Content Security Policy [header](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90) added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a message in the alt text) to open the broken image. An attacker can execute arbitrary JavaScript in the context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux instance if it is reachable and the victim is an administrator. ### Patches PR #1746 fixes the problem. Available in Miniflux >= 2.0.43. ### Workarounds - Disable image proxy (default value is `http-only`). ### References - https://miniflux.app/docs/configuration.html#proxy-images
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/miniflux.app/v2 | >=2.0.25<2.0.43 | 2.0.43 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/miniflux/v2/security/advisories/GHSA-mqqg-xjhj-wfgw
- https://nvd.nist.gov/vuln/detail/CVE-2023-27592
- https://github.com/miniflux/v2/pull/1746
- https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76
- https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90
- https://github.com/miniflux/v2/releases/tag/2.0.25
- https://github.com/miniflux/v2/releases/tag/2.0.43
- https://miniflux.app/docs/configuration.html#proxy-images
- https://github.com/advisories/GHSA-mqqg-xjhj-wfgw (Advisory)
Frequently Asked Questions
What is the severity of GHSA-mqqg-xjhj-wfgw?
The GHSA-mqqg-xjhj-wfgw vulnerability is classified as moderate severity.
Which versions of Miniflux are affected by GHSA-mqqg-xjhj-wfgw?
The affected versions of Miniflux are between v2.0.25 and v2.0.43 inclusive.
How do I fix GHSA-mqqg-xjhj-wfgw?
To fix GHSA-mqqg-xjhj-wfgw, upgrade Miniflux to version 2.0.43 or later.
What type of attack does GHSA-mqqg-xjhj-wfgw allow?
GHSA-mqqg-xjhj-wfgw potentially allows mixed content issues due to failed outbound HTTP requests.
Is there a workaround for GHSA-mqqg-xjhj-wfgw before patching?
Currently, there are no documented workarounds for GHSA-mqqg-xjhj-wfgw; upgrading is recommended.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mqqg-xjhj-wfgw
- alias/CVE-2023-27592
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/source
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/tags
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/go