VYPR
Medium severity6.1GHSA Advisory· Published May 18, 2026· Updated May 27, 2026

CVE-2025-65954

CVE-2025-65954

Description

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simplesamlphp/simplesamlphp-module-casserverPackagist
>= 7.0.0-rc1, < 7.0.07.0.0
simplesamlphp/simplesamlphp-module-casserverPackagist
< 6.3.16.3.1

Affected products

4
  • < 6.3.1+ 3 more
    • (no CPE)range: < 6.3.1
    • cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:*:*:*:*:*:*:*:*range: <6.3.1
    • cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:7.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:7.0.0:rc2:*:*:*:*:*:*

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.