Login Sign Up

CVE-2023-27591

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to access Prometheus metrics from publicly exposed Miniflux instances with metrics collection enabled. It affects Miniflux instances where METRICS_COLLECTOR is enabled and METRICS_ALLOWED_NETWORKS is set to the default 127.0.0.1/8. The metrics could contain sensitive system information.

💻 Affected Systems

Products:
  • Miniflux
Versions: All versions prior to 2.0.43
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when METRICS_COLLECTOR is explicitly enabled (default is false) and METRICS_ALLOWED_NETWORKS is set to default 127.0.0.1/8

📦 What is this software?

Miniflux by Miniflux Project

View all CVEs affecting Miniflux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain sensitive system metrics including performance data, resource usage, and potentially internal network information that could facilitate further attacks.

🟠

Likely Case

Information disclosure of system metrics that could help attackers profile the system and identify potential weaknesses for follow-up attacks.

🟢

If Mitigated

No information disclosure; metrics remain accessible only to authorized localhost connections.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request to metrics endpoint when instance is publicly accessible

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.43

Vendor Advisory: https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v

Restart Required: Yes

Instructions:

1. Update Miniflux to version 2.0.43 or later. 2. Restart the Miniflux service. 3. Verify metrics endpoint is properly restricted.

🔧 Temporary Workarounds

Disable metrics collector

all

Set METRICS_COLLECTOR configuration option to false

Set METRICS_COLLECTOR=false in Miniflux configuration

Use reverse proxy

all

Run Miniflux behind a trusted reverse proxy that restricts access to metrics endpoint

🧯 If You Can't Patch

  • Disable METRICS_COLLECTOR in configuration
  • Implement network-level restrictions to block external access to metrics endpoint

🔍 How to Verify

Check if Vulnerable:

Check if METRICS_COLLECTOR is enabled and attempt to access /metrics endpoint from external network

Check Version:

Check Miniflux version in web interface or via miniflux --version command

Verify Fix Applied:

After patching, verify that external requests to /metrics endpoint are properly rejected

📡 Detection & Monitoring

Log Indicators:

  • External IP addresses accessing /metrics endpoint
  • Failed authentication attempts to metrics endpoint

Network Indicators:

  • External traffic to /metrics endpoint on Miniflux port

SIEM Query:

source_ip NOT IN (127.0.0.0/8) AND destination_port = [MINIFLUX_PORT] AND uri_path = '/metrics'

📊 Metadata

CVE ID: CVE-2023-27591
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: March 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27591, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)