CVE-2025-67852 Overview
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.
Critical Impact
Authenticated users can be redirected to malicious external sites after successful OAuth login, enabling sophisticated phishing attacks and potential credential theft.
Affected Products
- Moodle (specific versions not disclosed in advisory)
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-67852 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-67852
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as "Open Redirect"). The flaw exists within Moodle's OAuth authentication flow, where redirect parameters are not properly validated before being used to redirect users after successful authentication.
Open redirect vulnerabilities are particularly dangerous in authentication contexts because users naturally trust the login process. When a user initiates an OAuth login to Moodle, they expect to be returned to the legitimate Moodle instance. However, an attacker can craft a malicious link that exploits this vulnerability to redirect the user to an attacker-controlled site after authentication completes.
The attack requires user interaction—specifically, the victim must click on a crafted malicious link and complete the authentication process. Because the initial authentication occurs on the legitimate Moodle platform, users may not notice when they are subsequently redirected to a phishing page designed to capture additional credentials or sensitive information.
Root Cause
The root cause of this vulnerability is insufficient validation of redirect parameters within the OAuth login flow. When processing redirect URLs after successful authentication, Moodle fails to adequately verify that the destination URL belongs to a trusted domain or path. This allows attackers to inject arbitrary URLs that users will be redirected to upon completing their login.
Proper mitigation requires implementing strict allowlisting of redirect destinations, validating that redirect URLs are relative paths or belong to explicitly trusted domains, and rejecting any redirect parameters that point to external or untrusted locations.
Attack Vector
The attack is network-based and requires an authenticated user with low privileges to be tricked into clicking a malicious link. The attacker constructs a specially crafted URL that includes a malicious redirect parameter targeting the vulnerable OAuth endpoint. When the victim clicks this link and authenticates, they are redirected to the attacker's site instead of the expected destination.
A typical attack scenario involves:
- Attacker identifies the vulnerable OAuth endpoint in Moodle
- Attacker crafts a link with a malicious redirect_uri or similar parameter pointing to their phishing site
- Attacker distributes the link via email, social media, or embedded in a webpage
- Victim clicks the link and authenticates to Moodle
- Upon successful authentication, victim is redirected to the attacker-controlled site
- The phishing site may impersonate Moodle to harvest additional credentials or sensitive data
Detection Methods for CVE-2025-67852
Indicators of Compromise
- Unusual redirect parameters in OAuth-related URLs pointing to external domains
- User complaints about being redirected to unexpected websites after login
- Log entries showing successful authentications followed by redirects to non-Moodle domains
- Phishing reports targeting your organization that reference legitimate Moodle login pages
Detection Strategies
- Monitor web server logs for OAuth endpoints with suspicious redirect parameters containing external URLs
- Implement URL pattern matching rules to alert on redirect parameters pointing outside trusted domains
- Deploy web application firewall (WAF) rules to inspect and flag OAuth requests with untrusted redirect destinations
- Review authentication logs for patterns of successful logins followed by requests to external resources
Monitoring Recommendations
- Enable detailed logging for all OAuth authentication flows in Moodle
- Set up alerts for redirect parameters containing external domains or IP addresses
- Monitor for phishing campaigns that may be leveraging this vulnerability against your users
- Regularly audit OAuth configuration and redirect allowlists
How to Mitigate CVE-2025-67852
Immediate Actions Required
- Review and apply security updates from Moodle when available
- Implement strict redirect URL validation at the web application firewall level
- Configure Content Security Policy headers to restrict redirect destinations
- Educate users about verifying URLs after authentication completes
Patch Information
Administrators should monitor the Red Hat CVE Advisory and Red Hat Bug Report for official patch information and updates from the vendor. Apply security patches as soon as they become available from your Moodle distribution.
Workarounds
- Implement a reverse proxy or WAF rule to strip or validate redirect parameters on OAuth endpoints
- Configure an explicit allowlist of permitted redirect domains at the infrastructure level
- Disable OAuth authentication temporarily if not essential and alternative authentication methods are available
- Deploy browser-based security controls to warn users when navigating to external sites after authentication
# Example Apache mod_rewrite rule to block external redirects (adjust paths as needed)
# Add to Moodle's .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (redirect_uri|return_url|next)=https?://(?!yourdomain\.com) [NC]
RewriteRule ^auth/oauth2/.* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
