CVE-2025-65954
MEDIUMSimpleSAMLphp CAS Server <6.3.1 and <7.0.0 Logout - Open Redirect
Title source: manualDescription
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523
X_Refsource_Misc x_refsource_misc
https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0
X_Refsource_Misc x_refsource_misc
https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5
Scores
CVSS v3
6.1
EPSS
0.0027
EPSS Percentile
18.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
Status
published
Products (8)
simplesamlphp/simplesamlphp-casserver
7.0.0 rc2
simplesamlphp/simplesamlphp-casserver
< 6.3.1
simplesamlphp/simplesamlphp-module-casserver
7.0.0 rc1 (2 CPE variants)
simplesamlphp/simplesamlphp-module-casserver
< 6.3.1 (2 CPE variants)
simplesamlphp/simplesamlphp-module-casserver
0 - 6.3.1Packagist
simplesamlphp/simplesamlphp-module-casserver
7.0.0-rc1 - 7.0.0Packagist
simplesamlphp/simplesamlphp-module-casserver
>= 7.0.0-rc1, < 7.0.0
simplesamlphp/simplesamlphp_casserver
7.0.0 rc1
Published
May 18, 2026
Tracked Since
May 19, 2026