CVE-2023-27591

Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

CVSS 7.5 HIGHEPSS 0.8%CWE-1220 CWE-200

In short

An unauthenticated attacker can access Prometheus metrics on Miniflux instances that have metrics collection enabled, even when they should only be available locally. This exposes sensitive information about the application's internal performance and state.

Technical detail

CVE-2023-27591 exploits improper network validation in Miniflux's metrics endpoint, allowing unauthenticated access to Prometheus metrics despite METRICS_ALLOWED_NETWORKS restrictions (CWE-1220, CWE-200). The vulnerability affects versions prior to 2.0.43 when METRICS_COLLECTOR is enabled; the attacker gains unauthorized information disclosure about application internals without authentication.

Summary generated and translated by AI from the official description.

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

miniflux · v2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/miniflux/v2/pull/1745 https://github.com/miniflux/v2/releases/tag/2.0.43 https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v https://miniflux.app/docs/configuration.html#metrics-collector