CVE-2023-27591: Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

April 2, 2025

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

References

github.com/advisories/GHSA-3qjf-qh38-x73v
github.com/miniflux/v2
github.com/miniflux/v2/pull/1745
github.com/miniflux/v2/releases/tag/2.0.43
github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
miniflux.app/docs/configuration.html
nvd.nist.gov/vuln/detail/CVE-2023-27591

Code Behaviors & Features

Detect and mitigate CVE-2023-27591 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →