VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 4, 2025· Updated Dec 4, 2025

CVE-2025-11222

CVE-2025-11222

Description

Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Central Dogma before 0.78.0 has an open redirect vulnerability in its login flow, enabling phishing attacks via crafted URLs.

Vulnerability

Overview

Central Dogma versions prior to 0.78.0 contain an open redirect vulnerability that allows an attacker to redirect users to arbitrary external sites via specially crafted URLs [1][4]. The root cause lies in the login redirect logic, which incorrectly handles certain HTTP status codes; specifically, the application would redirect users to the login page even when a 403 Forbidden error occurred, indicating the user was already authenticated but lacked permissions [2][3]. This behavior could be abused by an attacker to craft a URL that, after authentication, redirects the victim to an untrusted destination.

Exploitation

An attacker can exploit this vulnerability by sending a victim a malicious link that appears legitimate but contains a crafted redirect parameter. When the victim clicks the link and authenticates (or is already authenticated), the application's flawed redirect logic sends them to an attacker-controlled site [4]. No special privileges are required beyond the ability to craft a URL and trick a user into clicking it. The vulnerability is present in the Shiro authentication flow used by Central Dogma [4].

Impact

Successful exploitation enables an attacker to redirect users to a phishing website that mimics the Central Dogma login page. This can lead to credential theft and unauthorized access to the victim's Central Dogma account [1][4]. The open redirect could also be used in broader social engineering campaigns to deliver malware or steal sensitive information.

Mitigation

The vulnerability is fixed in Central Dogma version 0.78.0 [4]. Server operators using Shiro authentication are strongly advised to upgrade immediately. As a workaround, administrators can implement a custom AuthProvider that overrides the webLoginService() method to prevent the redirect [4]. No other mitigations are documented.

References
  1. NVD - CVE-2025-11222
  2. Do not redirect to the login page on a 403 Forbidden error. (#1207) · line/centraldogma@95e7bbd
  3. Do not redirect to the login page on a 403 Forbidden error. by minwoox · Pull Request #1207 · line/centraldogma
  4. Open Redirect Vulnerability in Central Dogma's Login Function

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.linecorp.centraldogma:centraldogma-server-auth-shiroMaven
< 0.78.00.78.0

Affected products

2

Patches

1
95e7bbd77266

Do not redirect to the login page on a 403 Forbidden error. (#1207)

https://github.com/line/centraldogmaminuxNov 14, 2025via ghsa
commit
3 files changed · +4 3
  • webapp/javaTest/java/com/linecorp/centraldogma/webapp/SamlCentralDogmaTestServer.java+1 1 modified
    @@ -52,7 +52,7 @@ public static void main(String[] args) throws IOException {
         final Path rootDir = Files.createTempDirectory("dogma-test");
         final CentralDogma server = new CentralDogmaBuilder(rootDir.toFile())
                 .webAppEnabled(true)
-                .encryptionAtRest(new EncryptionAtRestConfig(true, true))
+                .encryptionAtRest(new EncryptionAtRestConfig(false, false))
                 .port(PORT, SessionProtocol.HTTP)
                 .systemAdministrators(USERNAME)
                 .cors("http://127.0.0.1:36462", "http://127.0.0.1:3000", "http://localhost:36462",
  • webapp/javaTest/java/com/linecorp/centraldogma/webapp/SamlIdpServer.java+2 1 modified
    @@ -114,7 +114,8 @@ public HttpResponse serve(ServiceRequestContext ctx, HttpRequest req) throws Exc
                 final String samlRequest = params.get("SAMLRequest");
                 final String relayState = params.get("RelayState");
 
-                if (!("foo".equals(username) && "bar".equals(password))) {
+                if (!("foo".equals(username) && "bar".equals(password)) &&
+                    !("foo2".equals(username) && "bar2".equals(password))) {
                     final String loginFailedHtml =
                             "<html><body><h1>Login Failed</h1><p>Invalid username or password.</p>" +
                             "<a href='javascript:history.back()'>Go Back</a></body></html>";
  • webapp/src/dogma/features/api/apiSlice.ts+1 1 modified
    @@ -126,7 +126,7 @@ const baseQueryWithReauth: BaseQueryFn<string | FetchArgs, unknown, FetchBaseQue
 ) => {
   const result = await baseQuery(args, api, extraOptions);
 
-  if (result.error && (result.error.status === 401 || result.error.status === 403)) {
+  if (result.error && result.error.status === 401) {
     api.dispatch(clearAuth());
     Router.push(createLoginUrl());
   }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.