CVE-2025-4210 Overview
CVE-2025-4210 is an authorization bypass vulnerability in Casdoor, an open-source identity and access management platform. The flaw resides in the HandleScim function within controllers/scim.go, which exposes the System for Cross-domain Identity Management (SCIM) User Creation Endpoint. The endpoint failed to verify administrator privileges before processing requests, allowing remote unauthenticated attackers to create user accounts. The vulnerability affects Casdoor versions up to and including 1.811.0 and is resolved in version 1.812.0 via commit 3d12ac8dc2282369296c3386815c00a06c6a92fe. The weakness is classified under CWE-285: Improper Authorization.
Critical Impact
Remote unauthenticated attackers can invoke the SCIM User Creation Endpoint to provision accounts, undermining the integrity of identity data managed by Casdoor.
Affected Products
- Casdoor versions up to and including 1.811.0
- Component: SCIM User Creation Endpoint (controllers/scim.go)
- Fixed in Casdoor 1.812.0
Discovery Timeline
- 2025-05-02 - CVE-2025-4210 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-4210
Vulnerability Analysis
The vulnerability is an authorization bypass in the SCIM endpoint handler of Casdoor. SCIM is a standard protocol for automating user identity provisioning between systems. In affected versions, the HandleScim function in controllers/scim.go forwarded incoming SCIM requests directly to the SCIM server without enforcing an administrator authorization check. Because SCIM endpoints support privileged identity operations such as creating users, the missing access control allowed any remote caller to reach functionality reserved for administrators.
Root Cause
The root cause is a missing authorization gate in the request handler. The HandleScim controller routed traffic through scim.Server.ServeHTTP without first calling the framework's RequireAdmin helper. This omission falls under [CWE-285] (Improper Authorization), where the application performs the requested action without confirming the caller has the necessary privileges.
Attack Vector
The attack is network-reachable and requires no authentication or user interaction. An attacker sends an HTTP request to the /scim path on a vulnerable Casdoor instance and invokes SCIM operations such as user creation. Successful exploitation can introduce attacker-controlled identities into the IAM platform, providing a foothold for downstream access to applications that trust Casdoor.
// Patch from controllers/scim.go - feat: improve HandleScim()
func (c *RootController) HandleScim() {
+ _, ok := c.RequireAdmin()
+ if !ok {
+ return
+ }
+
path := c.Ctx.Request.URL.Path
c.Ctx.Request.URL.Path = strings.TrimPrefix(path, "/scim")
scim.Server.ServeHTTP(c.Ctx.ResponseWriter, c.Ctx.Request)
Source: Casdoor commit 3d12ac8. The patch adds a RequireAdmin() check that aborts the handler when the caller is not an administrator.
Detection Methods for CVE-2025-4210
Indicators of Compromise
- Unexpected POST requests to URI paths beginning with /scim/Users from unauthenticated or unfamiliar source addresses.
- Newly created Casdoor user accounts with no corresponding administrator action in audit trails.
- Casdoor running a version at or below 1.811.0 exposed to untrusted networks.
Detection Strategies
- Inspect HTTP access logs for requests to /scim/* endpoints lacking valid admin session cookies or API tokens.
- Compare Casdoor user inventory against authoritative HR or directory sources to flag accounts created outside change-control processes.
- Run version inventory queries against Casdoor deployments and alert on builds older than 1.812.0.
Monitoring Recommendations
- Forward Casdoor application and reverse-proxy logs to a centralized SIEM and alert on anomalous SCIM traffic patterns.
- Monitor identity provider events for new accounts immediately followed by privilege grants or OAuth client linkage.
- Track outbound authentication events from applications federated to Casdoor for sign-ins by recently created principals.
How to Mitigate CVE-2025-4210
Immediate Actions Required
- Upgrade Casdoor to version 1.812.0 or later, which includes commit 3d12ac8dc2282369296c3386815c00a06c6a92fe.
- Audit all user accounts created since deployment of any version at or below 1.811.0 and disable unauthorized identities.
- Restrict network exposure of the Casdoor administrative and SCIM endpoints to trusted management networks.
Patch Information
The fix is published in the Casdoor v1.812.0 release. The patch modifies controllers/scim.go so that HandleScim invokes RequireAdmin() and returns immediately if the caller is not authenticated as an administrator. Additional context is available in the VulDB entry for this issue.
Workarounds
- Block external access to the /scim URI path at the reverse proxy or web application firewall until the upgrade is applied.
- Place Casdoor behind an authenticating proxy that enforces administrator identity before traffic reaches the SCIM handler.
- Disable SCIM-dependent integrations temporarily if upgrade deployment is delayed.
# Example NGINX rule to block unauthenticated SCIM access pre-upgrade
location /scim/ {
allow 10.0.0.0/8; # internal management network
deny all;
proxy_pass http://casdoor_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
