logo

Database

Server-side request forgery (SSRF) In simplesamlphp/simplesamlphp-module-casserver

Description

SimpleSAMLphp casserver: Open Redirect in logout

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-659542. NVD-2025-659543. OSV-2025-659544. GHSA-cvrm-5hp6-h5235. GCVE-2025-65954

References

1. https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h5232. https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e03. https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc54. https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.