GHSA-3qjf-qh38-x73v

Suggest an improvement
Source
https://github.com/advisories/GHSA-3qjf-qh38-x73v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3qjf-qh38-x73v/GHSA-3qjf-qh38-x73v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3qjf-qh38-x73v
Aliases
Related
Published
2025-04-02T17:24:11Z
Modified
2025-04-02T18:27:09.308413Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics
Details

Impact

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Patches

PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.

Workarounds

Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

References

  • https://miniflux.app/docs/configuration.html#metrics-collector
  • https://miniflux.app/docs/configuration.html#metrics-allowed-networks
Database specific 
{
    "nvd_published_at": "2023-03-17T20:15:00Z",
    "cwe_ids": [
        "CWE-1220",
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T17:24:11Z"
}
References

Affected packages

Go / miniflux.app/v2

Package

Name
miniflux.app/v2
View open source insights on deps.dev
Purl
pkg:golang/miniflux.app/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.43

Database specific 

{
    "last_known_affected_version_range": "<= 2.0.42"
}

Go / miniflux.app

Package

Name
miniflux.app
View open source insights on deps.dev
Purl
pkg:golang/miniflux.app

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.46