Vulnerability in SimpleSAMLphp-casserver for CAS 1.0 and 2.0 by SimpleSAMLphp
CVE-2025-65954

4.7MEDIUM

Key Information:

Vendor

SimplesamlPHP

Status
SimplesamlPHP-module-casserver
Vendor
CVE Published:
18 May 2026

What is CVE-2025-65954?

The SimpleSAMLphp-casserver module, compliant with CAS 1.0 and 2.0, contains a vulnerability affecting the logout endpoint which improperly handles URL redirection when the 'enable_logout' and 'skip_logout_page' configurations are enabled. This issue allows possible redirection to untrusted or malicious URLs. The vulnerability has been remediated in versions 6.3.1 and 7.0.0, pointing towards the importance of updating to these versions for security.

Affected Version(s)

simplesamlphp-module-casserver < 6.3.1 < 6.3.1

simplesamlphp-module-casserver >= 7.0.0-rc1, < 7.0.0 < 7.0.0-rc1, 7.0.0

References

https://github.com/simplesamlphp/simplesamlphp-module-cas...
x_refsource_CONFIRM
https://github.com/simplesamlphp/simplesamlphp-module-cas...
x_refsource_MISC
https://github.com/simplesamlphp/simplesamlphp-module-cas...
x_refsource_MISC

CVSS V3.0

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.