Authorization Bypass Vulnerability in Casdoor Affecting SCIM User Creation Endpoint
CVE-2025-4210

6.9MEDIUM

Key Information:

Vendor

Casdoor

Status
Casdoor
Vendor
CVE Published:
2 May 2025

What is CVE-2025-4210?

A vulnerability affecting the SCIM User Creation Endpoint in Casdoor versions up to 1.811.0 allows an attacker to bypass authorization controls. This issue can be exploited remotely, potentially granting unauthorized access to sensitive functionalities. The vulnerable function, HandleScim, located in the file controllers/scim.go, fails to properly validate permissions for user creation operations. Users are advised to upgrade to version 1.812.0, which includes a patch addressing this vulnerability (commit 3d12ac8dc2282369296c3386815c00a06c6a92fe).

Affected Version(s)

Casdoor 1.811

References

https://vuldb.com/?id.307180
vdb-entrytechnical-description
https://vuldb.com/?ctiid.307180
signaturepermissions-required
https://vuldb.com/?submit.556201
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

krav (VulDB User)
.