Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
  • Experiencing a breach?
  • Blog
  • Careers

  • Platform & Products

    • Singularity™ Platform

      Unified Enterprise Security. Machine-Speed Protection, Intelligence, and Response.

    • XDR

      Native and Open Protection, Detection, and Response.

    • Integrations and Partners

      One-Click Integrations to Unlock the Power of SentinelOne.

    Product Tours
    Pricing & Packages
    Get a Demo

  • Solutions & Use Cases

    SentinelOne for Industries

    Security Tuned for Your Industry.

    See All Industries
    • Healthcare

      Protect Patient Data. Keep Clinical Systems Online.

    • Financial Services

      Stop Fraud and Ransomware. Stay Audit-Ready.

    • Federal Government

      FedRAMP and IL5-Ready Defense for Federal Missions.

    • Manufacturing

      Defend OT, IT, IIOT, and Supply Chains at Scale.

    • Energy

      Secure OT Systems and Critical Infrastructure.

    • Transportation and Logistics

      Defend Operations Across Fleet, Port, and Rail.

    • Higher Education

      Protect Open Networks Without Slowing Research.

    • K-12 Education

      Stop Ransomware. Protect Students, Staff, and Data.

    • Retail and Hospitality

      Defend Your Brand, Customer Data, and Bottom Line.

    • SMB & Startups

      Enterprise-Grade Defense for Fast Teams.

    See all solutions

  • Services

    Managed Services

    Wayfinder Threat Detection and Response.

    Learn More
    • Threat Hunting

      World-Class Expertise and Threat Intelligence.

    • Managed Detection and Response

      24/7 Expert MDR Across Your Entire Environment.

    • Incident Readiness and Response

      DFIR, Breach Readiness, and Compromise Assessments.

    Experiencing a breach?

    Our experts are here to help 24/7.

    1-855-868-3733
    Get Help Now

  • Partners

    Become a Partner

    • Become a SentinelOne Partner

      Join the Global SentinelOne Ecosystem

    • Explore MSSP Solutions

      Services Succeed Faster with SentinelOne

    • Form a Technology Alliance

      Integrated, Enterprise-Scale Solutions

    Find a Partner

    • Enlist a Response or Advisory Team

      Enlist Pro Response and Advisory Teams

    • SentinelOne for AWS

      Hosted Across AWS Regions Worldwide

    • SentinelOne for Google

      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale

    • Partner Locator

      Your Go-to Source for Our Top Partners in Your Region

    • Singularity Marketplace

      One-Click Integrations for Unified Prevention, Detection, and Response

      Explore integrations
    Partner Portal Login

  • Why SentinelOne

    • Why Choose SentinelOne

      AI-Powered Cybersecurity Built to Secure What’s Next.

    • Our Customers

      Trusted by the World’s Leading Companies.

    • Industry Awards & Recognition

      Tested and Proven by the Experts.

  • Resources & Support

    Resources

    • Resource Center
    • Webinars
    • Cybersecurity Blog
    • Events
    • Newsroom

    Company

    • About SentinelOne
    • Careers
    • S Ventures
    • S Foundation
    • Dataset
    • FAQ
    • Investors Relations

    Customer Success & Support

    • Live and On-Demand Training
    • Guided Onboarding & Deployment
    • Technical Account Management
    • Support Services
    • Customer Portal
    • Get Support Now

    Explore

    • Vulnerability Database
    • SentinelLABS Threat Research
    • Ransomeware Anthology
    • Cybersecurity 101
    EventJoin us at OneCon (Oct. 20–22, 2026)
    CompetitionThreat Hunting World Championship 2026
    ReportThe SentinelOne Annual Threat Report
  • Pricing
Get StartedContact us

Explore SentinelOne

  • Pricing
Events
Get StartedContact us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71244

CVE-2025-71244: Spip Open Redirect Vulnerability

CVE-2025-71244 is an open redirect flaw in Spip CMS affecting login forms in AJAX mode. Attackers can redirect users to malicious sites after login. This article covers technical details, affected versions, and mitigation.

Updated: May 15, 2026

CVE-2025-71244 Overview

CVE-2025-71244 is an open redirect vulnerability [CWE-601] in SPIP, an open-source content management system. The flaw affects SPIP versions before 4.4.5 and 4.3.9 when the login form is overridden to operate in AJAX mode. Attackers can craft malicious URLs that redirect victims to arbitrary external sites after a successful login. The SPIP security screen does not mitigate this issue, leaving affected deployments exposed until upstream patches are applied.

Critical Impact

Attackers can leverage the trusted SPIP login flow to redirect authenticated users to attacker-controlled sites, enabling phishing and credential theft campaigns against site visitors.

Affected Products

  • SPIP versions before 4.4.5
  • SPIP versions before 4.3.9
  • SPIP deployments with login pages overridden to AJAX mode

Discovery Timeline

  • 2026-02-19 - CVE-2025-71244 published to the National Vulnerability Database
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2025-71244

Vulnerability Analysis

The vulnerability resides in the SPIP login form when configured for AJAX mode. The login handler accepts a redirect parameter without validating that the target URL points to a trusted internal location. After authentication completes, SPIP forwards the user to the supplied destination without origin checks. An attacker who lures a user to a crafted SPIP login URL can therefore land the victim on any external domain once the login flow finishes.

The issue is classified as CWE-601 (URL Redirection to Untrusted Site). Exploitation requires user interaction, since the victim must follow the malicious link and authenticate. The attack does not compromise the SPIP server itself, but it leverages the site's trusted domain to make phishing pages appear legitimate.

This vulnerability only affects sites whose login page has been overridden to operate in AJAX mode. Default SPIP installations that do not customize the login template are not impacted. The SPIP security screen, which blocks several known attack patterns, does not filter this redirect path.

Root Cause

The root cause is missing validation of the post-login redirect destination in the AJAX login flow. The application trusts user-controlled input to determine the next page, instead of restricting redirects to a same-origin allowlist.

Attack Vector

The attack is delivered over the network and requires user interaction. An attacker distributes a crafted SPIP login URL containing an external redirect target. When the victim authenticates on the legitimate SPIP site, the application forwards their browser to the attacker-controlled domain. The destination site can then impersonate the original application to harvest credentials or deliver malware.

No verified public exploit code is available for CVE-2025-71244. Technical details are described in the VulnCheck SPIP Open Redirect Advisory and the SPIP Security Update Announcement.

Detection Methods for CVE-2025-71244

Indicators of Compromise

  • HTTP requests to SPIP login endpoints containing a redirect, url, or similar parameter pointing to an external domain.
  • Web server access logs showing successful logins immediately followed by 3xx responses redirecting to non-local hosts.
  • Referrer chains in downstream phishing reports that trace back to a legitimate SPIP-hosted login URL.

Detection Strategies

  • Inspect web access logs for login form submissions where the redirect parameter resolves to a host outside the site's domain.
  • Deploy WAF rules that flag absolute URLs or protocol-relative URLs in redirect parameters on /spip.php and related login endpoints.
  • Correlate user reports of unexpected post-login redirects with corresponding entries in SPIP authentication logs.

Monitoring Recommendations

  • Enable verbose logging on the SPIP authentication module and forward events to a central SIEM for analysis.
  • Alert on anomalous outbound referrer patterns originating from the SPIP login URL.
  • Track the SPIP version deployed across managed sites and flag any host still running a release earlier than 4.4.5 or 4.3.9.

How to Mitigate CVE-2025-71244

Immediate Actions Required

  • Upgrade SPIP to version 4.4.5 or 4.3.9, depending on the deployed branch.
  • Audit custom login templates to confirm whether AJAX mode is in use and assess exposure.
  • Review recent web logs for crafted login URLs containing external redirect targets.

Patch Information

SPIP addressed the issue in versions 4.4.5 and 4.3.9. Release notes and download links are available in the SPIP Security Update Announcement. Source changes can be reviewed in the SPIP Git Repository.

Workarounds

  • Revert the login page to the default SPIP template until the patched version can be deployed.
  • Restrict the redirect parameter at the reverse proxy or WAF layer to same-origin destinations only.
  • Disable AJAX login mode in customized templates if the upgrade cannot be applied immediately.
bash
# Example WAF rule pattern to block external redirects on the SPIP login endpoint
# Reject requests where the post-login redirect target is not same-origin
SecRule ARGS:redirect "@rx ^(https?:)?//(?!example\.com)" \
    "id:1007244,phase:2,deny,status:400,msg:'SPIP CVE-2025-71244 open redirect attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechSpip
  • SeverityMEDIUM
  • CVSS Score5.1
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-601
  • Technical References
  • SPIP Security Update Announcement
  • SPIP Git Repository
  • VulnCheck SPIP Open Redirect Advisory
  • Related CVEs
  • CVE-2026-48832: SPIP Open Redirect Vulnerability
  • CVE-2026-8430: SPIP Remote Code Execution Vulnerability
  • CVE-2026-8429: SPIP RCE Vulnerability in Private Space
  • CVE-2026-33549: SPIP Privilege Escalation Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
Get a DemoContact Us
  • Product Tours
  • Why SentinelOne
  • Pricing & Packages
  • FAQ
  • SentinelOne Status

Key Products & Solutions

  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Prompt Security
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Explore Solutions

Services

  • Wayfinder TDR
  • Managed Detection and Response
  • Threat Hunting
  • Incident Readiness
& Response
  • Technical Account Management
  • Guided Onboarding 
& Deployment
  • Support Services

Company

  • About Us
  • Our Customers
  • Careers
  • Partners
  • S1 Foundation
  • S1 Ventures
  • Legal Information
  • Security & Compliance
  • Investor Relations

Quick Links

  • Customer Portal
  • Partner Portal
  • Become a Partner
  • Resource Center
  • SentinelLABS Threat Research
  • Blog
  • Press Center
  • Cybersecurity 101
  • Events
  • Ransomware Anthology
©2026 SentinelOne, All Rights Reserved
Privacy NoticeTerms of Use
English
English