CVE-2025-65954: SimpleSAMLphp casserver: Open Redirect in logout
(updated )
The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a “you’ve been logged out” page with a link to continue to that url.
There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)
References
- github.com/advisories/GHSA-cvrm-5hp6-h523
- github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php
- github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0
- github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5
- github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523
- nvd.nist.gov/vuln/detail/CVE-2025-65954
Code Behaviors & Features
Detect and mitigate CVE-2025-65954 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →