Skip to main content
CVE Vulnerability Database

CVE-2025-6967: Sarman Soft CMS Auth Bypass Vulnerability

CVE-2025-6967 is an authentication bypass flaw in Sarman Soft CMS caused by Execution After Redirect (EAR) that enables JSON hijacking attacks. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-6967 Overview

CVE-2025-6967 is an Execution After Redirect (EAR) vulnerability in the content management system (CMS) developed by Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. The flaw enables JSON Hijacking (also known as JavaScript Hijacking) and authentication bypass. It affects all CMS versions up through build 10022026. The weakness is classified under [CWE-698] (Execution After Redirect). According to the disclosure, the vendor was contacted but did not respond, leaving the issue unaddressed at publication.

Critical Impact

Remote attackers can bypass authentication and exfiltrate sensitive JSON data returned by protected endpoints, compromising confidentiality and integrity of the affected CMS.

Affected Products

  • Sarman Soft CMS through version 10022026
  • Web applications relying on the affected CMS for authentication and session handling
  • Deployments exposing JSON API endpoints behind incomplete redirect-based access controls

Discovery Timeline

  • 2026-02-10 - CVE-2025-6967 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-6967

Vulnerability Analysis

The vulnerability stems from improper handling of HTTP redirects in the Sarman Soft CMS. When the application detects an unauthenticated request to a protected resource, it issues a redirect response but continues to execute the underlying handler logic. The response body containing sensitive JSON data is still emitted alongside the redirect headers. Attackers can read this leaked response, effectively bypassing the authentication boundary the redirect was meant to enforce.

Root Cause

The root cause is an Execution After Redirect flaw [CWE-698]. Server-side code calls a redirect function but does not terminate execution afterward. Downstream handlers continue to render JSON payloads intended only for authenticated users. Combined with the absence of anti-CSRF tokens or content-type restrictions on JSON endpoints, this enables JSON Hijacking via cross-origin script inclusion.

Attack Vector

The attack is network-based and requires no privileges or user interaction beyond luring a victim to a malicious page. An attacker hosts a page that includes the target JSON endpoint through a <script> tag or fetch request. Because the server emits the JSON body even when issuing a redirect, the attacker's page captures the data. Authentication is bypassed because the response content is generated and returned without verifying the session state.

The vulnerability mechanism involves the server pipeline failing to halt after Location headers are set. See the USOM Security Advisory TR-26-0050 for additional context on the disclosure.

Detection Methods for CVE-2025-6967

Indicators of Compromise

  • HTTP 302 or 301 responses from CMS endpoints that also include a non-empty JSON response body
  • Cross-origin Referer headers on requests to authenticated JSON endpoints from unexpected domains
  • Unusual <script src=...> requests targeting CMS API paths recorded in web server access logs

Detection Strategies

  • Inspect web application logs for redirect responses that return content lengths greater than expected for an empty redirect body
  • Deploy a web application firewall (WAF) rule that flags JSON responses paired with 3xx status codes from the CMS
  • Correlate authentication failures with successful data responses on the same request to identify EAR conditions

Monitoring Recommendations

  • Monitor outbound traffic from CMS hosts for anomalous response sizes on redirect status codes
  • Audit access patterns to JSON endpoints, focusing on requests lacking valid session cookies
  • Alert on browser-based cross-origin fetches that successfully retrieve CMS data without authentication tokens

How to Mitigate CVE-2025-6967

Immediate Actions Required

  • Restrict access to the Sarman Soft CMS administrative and API endpoints using network-level controls or IP allowlisting until a vendor fix is available
  • Place the CMS behind a reverse proxy that strips response bodies from 3xx redirect responses
  • Disable or rate-limit cross-origin requests to JSON endpoints through CORS and SameSite cookie configuration

Patch Information

No vendor patch is available. The disclosure notes that Sarman Soft did not respond to coordinated disclosure attempts. Operators should track the USOM Security Advisory TR-26-0050 for updates and contact the vendor directly to request a fix.

Workarounds

  • Configure the web server or reverse proxy to enforce empty response bodies on HTTP redirect status codes
  • Add anti-CSRF tokens and require a custom request header on all JSON endpoints to defeat cross-origin script inclusion
  • Set Content-Type: application/json strictly and reject requests that include a Referer from untrusted origins
  • Apply session validation middleware that returns 401 or 403 instead of redirecting unauthenticated API requests
bash
# Example nginx configuration to strip response bodies from redirects
location /api/ {
    proxy_pass http://cms_backend;
    proxy_intercept_errors on;
    error_page 301 302 = @empty_redirect;
}

location @empty_redirect {
    return 302 $upstream_http_location;
}

# Enforce SameSite and reject cross-origin JSON requests
add_header Set-Cookie "sessionid=$cookie_sessionid; SameSite=Strict; Secure; HttpOnly";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.