GHSA-cvrm-5hp6-h523

Source

https://github.com/advisories/GHSA-cvrm-5hp6-h523

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cvrm-5hp6-h523/GHSA-cvrm-5hp6-h523.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cvrm-5hp6-h523

Aliases

CVE-2025-65954

Published

2026-05-15T16:21:13Z

Modified

2026-05-15T16:32:16.170164Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator

Summary

SimpleSAMLphp casserver: Open Redirect in logout

Details

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,

Database specific

{
    "cwe_ids": [
        "CWE-601"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-05-15T16:21:13Z",
    "github_reviewed": true
}

References

Affected packages

Packagist / simplesamlphp/simplesamlphp-module-casserver

Package

Name: simplesamlphp/simplesamlphp-module-casserver
Purl: pkg:composer/simplesamlphp/simplesamlphp-module-casserver

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0-rc1

Fixed

7.0.0

Affected versions

v7.*

v7.0.0-rc1

v7.0.0-rc2

v7.0.0-rc3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cvrm-5hp6-h523/GHSA-cvrm-5hp6-h523.json"

last_known_affected_version_range

"< 7.0.0-rc3"

Packagist / simplesamlphp/simplesamlphp-module-casserver

Package

Name: simplesamlphp/simplesamlphp-module-casserver
Purl: pkg:composer/simplesamlphp/simplesamlphp-module-casserver

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.1

Affected versions

v6.*

v6.0.0

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

v6.3.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cvrm-5hp6-h523/GHSA-cvrm-5hp6-h523.json"