SimpleSAMLphp-casserver, Open Redirect, CVE-2025-65954 (Medium)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in the logout endpoint of the SimpleSAMLphp casserver module (CAS 1.0/2.0 compliant server). When `enable_logout` is set to `true` (default for CAS), the endpoint accepts a `url` query parameter to specify a post-logout redirection target. The code improperly treats this user-supplied URL as fully trusted without any validation or sanitization. This allows an attacker to inject arbitrary external URLs, including malicious phishing sites or JavaScript handlers.
In configurations where `skip_logout_page` is also true, the server immediately issues an HTTP 302 redirect to the attacker-controlled URL after destroying the local session. If `skip_logout_page` is false, the server displays a “you’ve been logged out” HTML page that includes a clickable link to the untrusted URL – still a functional open redirect because users are likely to click the link.
The vulnerable code path resides in `lib/CAS/Logout.php` or similar, where `$request->getQueryParam(‘url’)` is fetched and directly passed to a redirection function like $this->getUtils()->redirect($url). No checks against internal domains, allowed hosts, or protocol whitelists are performed. An attacker can craft a logout URL such as:
https://cas.server.com/saml/module.php/casserver/logout?url=https://evil.com/phish`
When a logged-in victim clicks this link, they are logged out of the CAS server and immediately redirected to the attacker’s site, which can mimic the original login page to steal credentials.
The issue affects all casserver module versions below 6.3.1 (for the 6.x branch) and version 7.0.0 (the initial 7.x release). Patched versions are 6.3.1 and 7.0.0, where the redirect logic now validates the `url` parameter against a configurable whitelist or rejects external domains by default.
<h2 style="color: blue;">dailycve form:</h2>
Platform: SimpleSAMLphp casserver
Version: Below 6.3.1
Vulnerability: Open redirect
Severity: Medium
date: 18 May 2026
<h2 style="color: blue;">Prediction: Already patched</h2>
<h2 style="color: blue;">What Undercode Say:</h2>

Check installed casserver version
grep 'casserver' /var/simplesamlphp/modules/casserver/config/module.php
Test for open redirect vulnerability
curl -v "https://cas.example.com/saml/module.php/casserver/logout?url=http://evil.com"
Audit configuration for unsafe settings
grep -E "enable_logout.true|skip_logout_page.true" /var/simplesamlphp/config/authsources.php

<h2 style="color: blue;">Exploit:</h2>

GET /module.php/casserver/logout?url=https://attacker.com/fake-login HTTP/1.1
Host: vulnerable-cas-server.com
Cookie: SAMLSession=abcd1234

Upon clicking, victim is logged out and redirected toattacker.com/fake-login. Attackers can also use `data:` or `javascript:` URIs if no scheme restriction exists.
<h2 style="color: blue;">Protection from this CVE</h2>
- Upgrade to casserver 6.3.1 or 7.0.0 immediately.
- If upgrade not possible, set `'skip_logout_page' => false` and manually review all logout redirect links.
- Implement a whitelist of allowed redirect domains in
config.php`:

'logout.redirect.whitelist' => ['cas.example.com', 'app.example.org']

– Use a Web Application Firewall (WAF) rule to block `url=` parameters containing non-internal domains or special schemes.

Impact

  • Phishing attacks – Users are redirected to attacker-controlled pages after a legitimate logout, increasing trust in the fake page.
  • Credential theft – Malicious login forms can capture CAS passwords.
  • Session fixation/reset – Combined with other flaws, could lead to session hijacking (though session is destroyed here, the redirect aids social engineering).
  • Reputation damage – A public CAS server with open redirect may be used in spam or fraud campaigns, blacklisting the domain.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top