Skip to main content

SimpleSAMLphp casserver CVE-2025-65954

| EUVDEUVD-2025-209889 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-15 https://github.com/simplesamlphp/simplesamlphp-module-casserver GHSA-cvrm-5hp6-h523
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
May 21, 2026 - 21:07 NVD
4.7 (MEDIUM) 6.1 (MEDIUM)
Source Code Evidence Fetched
May 15, 2026 - 17:00 vuln.today
Analysis Generated
May 15, 2026 - 17:00 vuln.today

DescriptionGitHub Advisory

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

php
'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,

AnalysisAI

Open redirect in SimpleSAMLphp casserver module allows remote attackers to redirect authenticated users to arbitrary external domains after logout. Versions prior to 6.3.1 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The logout endpoint accepts an unchecked 'url' query parameter without validating it against configured service URLs, enabling phishing attacks that leverage the trusted SimpleSAML domain. Public exploit code exists (POC: YES). EPSS data not available, but exploitation requires only user interaction (no authentication), making this readily exploitable in phishing campaigns targeting SSO users.

Technical ContextAI

SimpleSAMLphp casserver is a PHP module implementing CAS (Central Authentication Service) server functionality for federated single sign-on environments. The vulnerability exists in the LogoutController.php at line 104, where the logout endpoint processes the 'url' query parameter without validation. Previous versions of the module correctly validated redirect URLs against a whitelist of registered service URLs, but version 7.x removed this check. This is classified as CWE-601 (URL Redirection to Untrusted Site), commonly called an open redirect. The flaw violates the CAS protocol's security model, which requires service URL validation to prevent session riding and phishing attacks. When 'enable_logout' is true and especially when 'skip_logout_page' is also true, the module either directly redirects users or displays a logout confirmation page with an unvalidated link, both creating phishing vectors.

RemediationAI

Upgrade to SimpleSAMLphp casserver module version 6.3.1 for the 6.x series or version 7.0.0 for the 7.x series, both released by the vendor with fixes that restore URL validation against configured service URLs. Installation via Composer: composer update simplesamlphp/simplesamlphp-module-casserver. Until patching is complete, set 'enable_logout' => false in casserver configuration to disable the vulnerable logout endpoint entirely, though this eliminates Single Logout (SLO) functionality and may disrupt user workflows in federated environments. Alternative compensating control: set 'skip_logout_page' => false (default) to force display of logout confirmation page rather than automatic redirect, reducing but not eliminating phishing risk since malicious links remain clickable. Implement web application firewall (WAF) rules to inspect and block logout requests with 'url' parameters pointing to non-whitelisted domains, though this requires maintaining an accurate service URL whitelist and may break legitimate federated logout flows. Monitor authentication logs for suspicious logout patterns with external redirect targets. Advisory and patch details: https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2025-65954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy