Description
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.
Published: 2026-05-18
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SimpleSAMLphp casserver module allows an attacker to supply an arbitrary URL in the logout request, and the module treats that URL as trusted. The application will redirect the browser to the supplied address without validation, creating a classic open redirect flaw (CWE-601) that can be leveraged to lure users to malicious sites and facilitate phishing or credential theft.

Affected Systems

SimpleSAMLphp module casserver (simplesamlphp-module-casserver) is affected. Any installation running version 6.x prior to 6.3.1 or 7.x prior to 7.0.0, and configured with 'enable_logout' set to true or 'skip_logout_page' set to true, is vulnerable.

Risk and Exploitability

The CVSS score of 4.7 reflects moderate severity; no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation is possible via the public web interface; an attacker only needs to provide a crafted logout link or force the victim to visit a malicious URL. The impact is limited to user session redirection but can be used as part of phishing or credential‑stealing campaigns.

Generated by OpenCVE AI on May 18, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the casserver module to version 6.3.1 or 7.0.0 or later, where the logout redirect is disabled by default.
  • If an upgrade cannot be performed immediately, disable the logout redirect functionality by setting 'enable_logout' to false or 'skip_logout_page' to false in the module configuration.
  • Apply a web application firewall rule to block or validate the redirect URL parameter, ensuring only trusted domains are accepted until a patch is applied.

Generated by OpenCVE AI on May 18, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cvrm-5hp6-h523 SimpleSAMLphp casserver: Open Redirect in logout
History

Mon, 18 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.
Title SimpleSAMLphp-casserver has an Open Redirect vulnerability via logout
Weaknesses CWE-601
References
Metrics cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T20:28:06.383Z

Reserved: 2025-11-18T16:14:56.693Z

Link: CVE-2025-65954

cve-icon Vulnrichment

Updated: 2026-05-18T20:26:13.101Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T20:16:36.980

Modified: 2026-05-18T21:16:39.233

Link: CVE-2025-65954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T21:30:15Z

Weaknesses