SimpleSAMLphp casserver: Open Redirect in logout
🔗 CVE IDs covered (1)
📋 Description
Summary
The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.
There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)
Details
https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104
Previous module checked the url against the valid service urls.
PoC
The docker instructions from the README.md run an image with a vulnerable config.
Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google
Impact
Impacted configs have
'enable_logout' => true,
and are most impacted if they also have
'skip_logout_page' -> true,
🎯 Affected products2
- composer/simplesamlphp/simplesamlphp-module-casserver:>= 7.0.0-rc1, < 7.0.0-rc3
- composer/simplesamlphp/simplesamlphp-module-casserver:< 6.3.1
🔗 References (6)
- https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523
- https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104
- https://nvd.nist.gov/vuln/detail/CVE-2025-65954
- https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0
- https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5
- https://github.com/advisories/GHSA-cvrm-5hp6-h523