Medium severity6.1GHSA Advisory· Published May 18, 2026· Updated May 27, 2026
CVE-2025-65954
CVE-2025-65954
Description
SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simplesamlphp/simplesamlphp-module-casserverPackagist | >= 7.0.0-rc1, < 7.0.0 | 7.0.0 |
simplesamlphp/simplesamlphp-module-casserverPackagist | < 6.3.1 | 6.3.1 |
Affected products
4< 6.3.1+ 3 more
- (no CPE)range: < 6.3.1
- cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:*:*:*:*:*:*:*:*range: <6.3.1
- cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:7.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:7.0.0:rc2:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
6- github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0nvdPatchWEB
- github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5nvdPatchWEB
- github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-cvrm-5hp6-h523ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65954ghsaADVISORY
- github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.phpghsaWEB
News mentions
0No linked articles in our index yet.