SimpleSAMLphp casserver: Open Redirect in logout

CVE-2025-65954 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-15 16:21:13 UTC
Updated
2026-05-19 16:08:51 UTC
GitHub reviewed
2026-05-15 16:21:13 UTC
NVD published
2026-05-18

EPSS Score

Score Percentile
0.03% 8.28%

CVSS Scores

Base score Version Severity Vector
4.7 3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-cvrm-5hp6-h523 ↗
CVE CVE-2025-65954 ↗

CWEs

CWE id Name
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Credits

  • pradtke (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer simplesamlphp/simplesamlphp-module-casserver >= 7.0.0-rc1, < 7.0.0-rc3 7.0.0
composer simplesamlphp/simplesamlphp-module-casserver < 6.3.1 6.3.1

References

cvelogic Threat Intelligence