{"id":"GHSA-cvrm-5hp6-h523","summary":"SimpleSAMLphp casserver: Open Redirect in logout","details":"### Summary\n\nThe logout endpoint accepts a `url` query parameter to redirect to.  casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a \"you've been logged out\" page with a link to continue to that url.\n\nThere are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)\n\n### Details\n\nhttps://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104\n\nPrevious module checked the url against the valid service urls.\n\n### PoC\n\nThe docker instructions from the README.md run an image with a vulnerable config. \n\nAccessing  https://localhost/cas/logout?url=https://google.com  will redirect to Google\n\n### Impact\n\nImpacted configs have\n\n```php\n'enable_logout' =\u003e true,\n```\n\nand are most impacted if they also have\n\n```\n'skip_logout_page' -\u003e true,\n```","aliases":["CVE-2025-65954"],"modified":"2026-05-19T16:15:14.032350053Z","published":"2026-05-15T16:21:13Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-601"],"severity":"MODERATE","nvd_published_at":"2026-05-18T20:16:36Z","github_reviewed_at":"2026-05-15T16:21:13Z"},"references":[{"type":"WEB","url":"https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65954"},{"type":"WEB","url":"https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0"},{"type":"WEB","url":"https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5"},{"type":"PACKAGE","url":"https://github.com/simplesamlphp/simplesamlphp-module-casserver"},{"type":"WEB","url":"https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104"}],"affected":[{"package":{"name":"simplesamlphp/simplesamlphp-module-casserver","ecosystem":"Packagist","purl":"pkg:composer/simplesamlphp%2Fsimplesamlphp-module-casserver"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0-rc1"},{"fixed":"7.0.0"}]}],"versions":["v7.0.0-rc1","v7.0.0-rc2","v7.0.0-rc3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cvrm-5hp6-h523/GHSA-cvrm-5hp6-h523.json","last_known_affected_version_range":"\u003c 7.0.0-rc3"}},{"package":{"name":"simplesamlphp/simplesamlphp-module-casserver","ecosystem":"Packagist","purl":"pkg:composer/simplesamlphp%2Fsimplesamlphp-module-casserver"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.3.1"}]}],"versions":["v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.2.0","v6.2.1","v6.3.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cvrm-5hp6-h523/GHSA-cvrm-5hp6-h523.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}]}