CVE-2025-65954 Overview
CVE-2025-65954 is an open redirect vulnerability in SimpleSAMLphp-casserver, a Central Authentication Service (CAS) 1.0 and 2.0 compliant module for SimpleSAMLphp. The flaw resides in the logout endpoint, which accepts a url query parameter and treats the supplied value as trusted. Depending on configuration, the server either redirects the browser to the attacker-supplied URL or displays a logout page with a link to that URL. The issue affects versions below 6.3.1 and the 7.0.x branch prior to 7.0.0. Configurations using 'enable_logout' => true and 'skip_logout_page' => true are impacted. The vulnerability is tracked under CWE-601: URL Redirection to Untrusted Site.
Critical Impact
Attackers can craft logout URLs that redirect authenticated users to attacker-controlled domains, enabling credential phishing campaigns that abuse the trust of the CAS server's domain.
Affected Products
- SimpleSAMLphp-casserver versions below 6.3.1
- SimpleSAMLphp-casserver versions below 7.0.0
- Deployments with enable_logout and skip_logout_page set to true
Discovery Timeline
- 2026-05-18 - CVE-2025-65954 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2025-65954
Vulnerability Analysis
The SimpleSAMLphp-casserver module implements a CAS-compliant single sign-on server. The CAS protocol logout endpoint supports a url parameter that indicates where the user should be sent after the session is terminated. In affected versions, casserver does not validate this parameter against an allowlist of permitted destinations.
When skip_logout_page is enabled, casserver issues an HTTP redirect directly to the supplied URL. When the logout page is rendered, the URL becomes a clickable link presented to the user. In both cases, the attacker controls the destination while the request originates from the trusted CAS domain.
Open redirect flaws in authentication infrastructure are particularly effective for phishing. Users who recognize the legitimate single sign-on host are more likely to follow links that appear to originate from it. The CWE-601 classification reflects this trust-abuse pattern.
Root Cause
The root cause is missing validation of the url query parameter passed to the logout endpoint. The handler treats any supplied URL as trusted and forwards the browser without checking it against configured service registries or domain allowlists.
Attack Vector
An attacker crafts a logout URL on the legitimate casserver host with a url parameter pointing to an attacker-controlled domain. The attacker delivers this link through email, chat, or a malicious page. When a victim clicks the link, casserver terminates the session and either redirects to the attacker site or renders a logout page linking to it. The attacker site can mimic the organization's login portal to harvest credentials.
The vulnerability requires user interaction but no authentication. Exploitation occurs over the network. See the GitHub Security Advisory GHSA-cvrm-5hp6-h523 for additional technical detail.
Detection Methods for CVE-2025-65954
Indicators of Compromise
- Logout endpoint requests containing a url parameter pointing to external or unexpected domains
- Spikes in traffic to /module.php/casserver/cas/logout with varied url parameter values
- Referrer logs showing outbound redirects from the CAS server to domains outside the organization's registered services
Detection Strategies
- Parse web server access logs for logout endpoint requests and extract the url query parameter for review against an allowlist of approved post-logout destinations
- Deploy a Web Application Firewall (WAF) rule that inspects logout requests and flags off-domain redirect targets
- Correlate logout redirects with downstream phishing reports from users to identify active campaigns
Monitoring Recommendations
- Enable verbose logging on the casserver logout handler and forward logs to a centralized SIEM for query and alerting
- Alert when the url parameter resolves to a domain not present in the CAS service registry
- Monitor for repeated logout requests originating from the same source IP with varying redirect targets, which suggests reconnaissance or weaponization
How to Mitigate CVE-2025-65954
Immediate Actions Required
- Upgrade SimpleSAMLphp-casserver to version 6.3.1 or 7.0.0 as published by the maintainers
- Audit casserver configuration files for enable_logout and skip_logout_page settings and identify affected deployments
- Notify users to be cautious of logout links received via email or chat until patching is complete
Patch Information
The maintainers resolved the issue in versions 6.3.1 and 7.0.0. Review the upstream fixes in the first commit and the second commit. The patches add validation of the redirect target against the configured service registry before issuing the redirect or rendering the logout link.
Workarounds
- Set skip_logout_page to false so users see an interstitial page rather than an automatic redirect, reducing phishing effectiveness
- Disable the logout endpoint by setting enable_logout to false if logout functionality is not required by relying parties
- Place a reverse proxy or WAF in front of the casserver that strips or validates the url parameter on logout requests against an allowlist
# Composer upgrade to patched version
composer require simplesamlphp/simplesamlphp-module-casserver:^6.3.1
# or for the 7.x branch
composer require simplesamlphp/simplesamlphp-module-casserver:^7.0.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
