Miniflux 2 Server-Side Request Forgery Vulnerability via Media Proxy Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Miniflux 2 versions prior to 2.2.16. The issue arises in the media proxy endpoint, where an authenticated user can generate a signed proxy URL for media URLs chosen by the attacker. These URLs can include internal addresses, such as localhost, private RFC1918 ranges, or link-local metadata endpoints. When the generated proxy URL is requested, Miniflux fetches the internal response and returns it to the user.

Impact

Exploitation of this vulnerability allows authenticated users to access internal network resources from the Miniflux server, potentially exposing sensitive data. This includes services running on localhost, private network services, and link-local endpoints like 169.254.169.254.

Reproduction

To reproduce this vulnerability, log into Miniflux 2.2.15 with a normal user account. Subscribe to a feed that you control, including an entry with an image URL pointing to an internal address accessible from the Miniflux server. After opening the entry, locate the rewritten media proxy URL in the rendered HTML or page source. Request this proxy URL, and Miniflux will fetch the internal URL and return the response, demonstrating the SSRF vulnerability.

Remediation

Users can upgrade to Miniflux version 2.2.16 or later, where this vulnerability has been fixed.