CVE-2025-31483: 
vulnerability analysis and mitigation

Miniflux, a feed reader application, was found to contain a security vulnerability (CVE-2025-31483) related to Content Security Policy (CSP) bypass. The vulnerability was discovered in versions prior to 2.2.7, where a weak CSP configuration on the /proxy/* route allowed attackers to bypass the media proxy's CSP and execute cross-site scripting when opening external images in a new tab or window (GitHub Advisory).

The vulnerability stems from an improperly configured Content Security Policy on the media proxy route. The original CSP was set to 'default-src self', which proved insufficient in preventing cross-site scripting attacks. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, GitHub Advisory).

When exploited, this vulnerability allows malicious feeds added to Miniflux to execute arbitrary JavaScript in the user's browser when opening external resources, such as proxified images, in a new tab or window. This could potentially lead to unauthorized access to user data or session information (GitHub Advisory).

The vulnerability has been fixed in Miniflux version 2.2.7. The patch involves changing the CSP for the media proxy from 'default-src self' to a more restrictive policy: 'default-src none; form-action none; sandbox;'. Users are advised to upgrade to version 2.2.7 or later to mitigate this vulnerability (GitHub Commit, GitHub Advisory).