GHSA-CVRM-5HP6-H523

Vulnerability from github – Published: 2026-05-15 16:21 – Updated: 2026-05-19 16:08
VLAI
Summary
SimpleSAMLphp casserver: Open Redirect in logout
Details

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,
Severity
4.7 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.0.0-rc3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp-module-casserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-rc1"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp-module-casserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T16:21:13Z",
    "nvd_published_at": "2026-05-18T20:16:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe logout endpoint accepts a `url` query parameter to redirect to.  casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a \"you\u0027ve been logged out\" page with a link to continue to that url.\n\nThere are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)\n\n### Details\n\nhttps://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104\n\nPrevious module checked the url against the valid service urls.\n\n### PoC\n\nThe docker instructions from the README.md run an image with a vulnerable config. \n\nAccessing  https://localhost/cas/logout?url=https://google.com  will redirect to Google\n\n### Impact\n\nImpacted configs have\n\n```php\n\u0027enable_logout\u0027 =\u003e true,\n```\n\nand are most impacted if they also have\n\n```\n\u0027skip_logout_page\u0027 -\u003e true,\n```",
  "id": "GHSA-cvrm-5hp6-h523",
  "modified": "2026-05-19T16:08:50Z",
  "published": "2026-05-15T16:21:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65954"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SimpleSAMLphp casserver: Open Redirect in logout"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.