CVE-2025-58044 Overview
CVE-2025-58044 is an Open Redirect vulnerability affecting JumpServer, an open source bastion host and operation and maintenance security audit system developed by Fit2Cloud. The vulnerability exists in the /core/i18n// endpoint, which improperly uses the Referer header as a redirection target without adequate validation. This allows attackers to craft malicious URLs that redirect authenticated users to attacker-controlled websites, potentially facilitating phishing attacks, credential theft, or other social engineering campaigns.
Critical Impact
Attackers can leverage this Open Redirect to redirect users from the trusted JumpServer domain to malicious external sites, bypassing user trust and potentially leading to credential harvesting or malware distribution.
Affected Products
- Fit2cloud JumpServer versions prior to v3.10.19
- Fit2cloud JumpServer versions prior to v4.10.5
Discovery Timeline
- 2025-12-01 - CVE-2025-58044 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-58044
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The issue resides in JumpServer's internationalization (i18n) middleware, specifically in how the application handles language switching redirections. When a user changes their language preference via the /core/i18n// endpoint, the application reads the Referer HTTP header to determine where to redirect the user after the language change is applied.
The vulnerability carries a CVSS 4.0 score of 5.5 (Medium severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The EPSS probability is 0.031% (8.17th percentile), indicating a relatively low likelihood of exploitation in the wild.
Root Cause
The root cause stems from insufficient validation of the Referer header before using it as a redirect destination. The original implementation trusted the Referer header implicitly, allowing attackers to manipulate this header to specify an arbitrary external URL. Without proper URL parsing and domain validation, the application would redirect users to any URL specified in the Referer header.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction according to the CVSS metrics. An attacker can exploit this vulnerability by:
- Crafting a malicious URL pointing to the vulnerable i18n endpoint
- Setting up a controlled Referer header pointing to a malicious site
- Tricking users into clicking the crafted link or embedding it in phishing emails
- Upon request, JumpServer redirects the victim to the attacker-controlled domain
The official patch introduces a SafeRedirectMiddleware to properly validate redirect URLs:
import os
import re
import time
+from urllib.parse import urlparse, quote
import pytz
from django.conf import settings
from django.core.exceptions import MiddlewareNotUsed
from django.http.response import HttpResponseForbidden
from django.shortcuts import HttpResponse
-from django.utils import timezone, translation
+from django.shortcuts import redirect
+from django.urls import reverse
+from django.utils import timezone
from .utils import set_current_request
Source: https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b
The middleware is registered in the Django settings to intercept and validate all redirects:
'authentication.middleware.ThirdPartyLoginMiddleware',
'authentication.middleware.SessionCookieMiddleware',
'simple_history.middleware.HistoryRequestMiddleware',
+ 'jumpserver.middleware.SafeRedirectMiddleware',
'jumpserver.middleware.EndMiddleware',
]
Source: https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b
Detection Methods for CVE-2025-58044
Indicators of Compromise
- Unusual HTTP requests to /core/i18n// endpoints with manipulated Referer headers
- Web server logs showing redirects to external domains following i18n endpoint access
- User reports of unexpected redirections when changing language preferences
- Phishing campaigns leveraging legitimate JumpServer URLs as redirect launchers
Detection Strategies
Network-based detection can identify exploitation attempts by monitoring HTTP traffic for:
- Request Pattern Analysis: Monitor for requests to /core/i18n/ endpoints with Referer headers containing external domains
- Redirect Chain Analysis: Identify HTTP 302/301 responses from JumpServer that redirect to non-whitelisted external domains
- Log Correlation: Cross-reference web access logs with known phishing domains or suspicious URL patterns
Web Application Firewall (WAF) rules can be configured to inspect the Referer header on i18n endpoint requests and block those containing external URLs.
Monitoring Recommendations
Security teams should implement continuous monitoring of JumpServer access logs, specifically filtering for the i18n endpoint. Establish baseline behavior for legitimate language switching operations and alert on anomalies such as:
- High-frequency requests to i18n endpoints from single sources
- Referer headers containing URL-encoded characters or obfuscation attempts
- Redirect destinations to newly registered domains or known malicious infrastructure
Integration with SIEM solutions enables correlation of JumpServer logs with threat intelligence feeds for enhanced detection capabilities.
How to Mitigate CVE-2025-58044
Immediate Actions Required
- Upgrade JumpServer v3.x installations to version v3.10.19 or later
- Upgrade JumpServer v4.x installations to version v4.10.5 or later
- Review web server logs for any historical exploitation attempts targeting the i18n endpoint
- Implement WAF rules to block external redirects from JumpServer until patching is complete
Patch Information
The vulnerability has been addressed in JumpServer versions v3.10.19 and v4.10.5. The security fix introduces proper URL validation through the SafeRedirectMiddleware component, which uses urlparse from Python's urllib.parse module to validate redirect destinations and ensure they point only to trusted internal URLs.
The official patch is available at commit 36ae076cb021f16d2053a63651bc16d15a3ed53b on the JumpServer GitHub repository. The security advisory with full details is documented in GHSA-h762-mj7p-jwjq.
Workarounds
If immediate patching is not feasible, organizations can implement temporary mitigations:
# Nginx configuration to block external Referer headers on i18n endpoints
location ~ ^/core/i18n/ {
if ($http_referer ~* "^https?://(?!your-jumpserver-domain\.com)") {
return 403;
}
proxy_pass http://jumpserver_backend;
}
Additionally, consider implementing network-level controls to restrict outbound redirects from the JumpServer application, or configure reverse proxy rules to strip or validate the Referer header before it reaches the application. These workarounds should be considered temporary measures while planning the upgrade to patched versions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
