Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.
There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)
Details
https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104
Previous module checked the url against the valid service urls.
PoC
The docker instructions from the README.md run an image with a vulnerable config.
Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google
Impact
Impacted configs have
'enable_logout' => true,and are most impacted if they also have
'skip_logout_page' -> true,AnalysisAI
Open redirect in SimpleSAMLphp casserver module allows remote attackers to redirect authenticated users to arbitrary external domains after logout. Versions prior to 6.3.1 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The logout endpoint accepts an unchecked 'url' query parameter without validating it against configured service URLs, enabling phishing attacks that leverage the trusted SimpleSAML domain. Public exploit code exists (POC: YES). EPSS data not available, but exploitation requires only user interaction (no authentication), making this readily exploitable in phishing campaigns targeting SSO users.
Technical ContextAI
SimpleSAMLphp casserver is a PHP module implementing CAS (Central Authentication Service) server functionality for federated single sign-on environments. The vulnerability exists in the LogoutController.php at line 104, where the logout endpoint processes the 'url' query parameter without validation. Previous versions of the module correctly validated redirect URLs against a whitelist of registered service URLs, but version 7.x removed this check. This is classified as CWE-601 (URL Redirection to Untrusted Site), commonly called an open redirect. The flaw violates the CAS protocol's security model, which requires service URL validation to prevent session riding and phishing attacks. When 'enable_logout' is true and especially when 'skip_logout_page' is also true, the module either directly redirects users or displays a logout confirmation page with an unvalidated link, both creating phishing vectors.
RemediationAI
Upgrade to SimpleSAMLphp casserver module version 6.3.1 for the 6.x series or version 7.0.0 for the 7.x series, both released by the vendor with fixes that restore URL validation against configured service URLs. Installation via Composer: composer update simplesamlphp/simplesamlphp-module-casserver. Until patching is complete, set 'enable_logout' => false in casserver configuration to disable the vulnerable logout endpoint entirely, though this eliminates Single Logout (SLO) functionality and may disrupt user workflows in federated environments. Alternative compensating control: set 'skip_logout_page' => false (default) to force display of logout confirmation page rather than automatic redirect, reducing but not eliminating phishing risk since malicious links remain clickable. Implement web application firewall (WAF) rules to inspect and block logout requests with 'url' parameters pointing to non-whitelisted domains, though this requires maintaining an accurate service URL whitelist and may break legitimate federated logout flows. Monitor authentication logs for suspicious logout patterns with external redirect targets. Advisory and patch details: https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209889
GHSA-cvrm-5hp6-h523