Medium severity4.7GHSA Advisory· Published May 15, 2026· Updated May 15, 2026

SimpleSAMLphp casserver: Open Redirect in logout

CVE-2025-65954

Description

Summary

The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url.

There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc)

Details

https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104

Previous module checked the url against the valid service urls.

PoC

The docker instructions from the README.md run an image with a vulnerable config.

Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google

Impact

Impacted configs have

'enable_logout' => true,

and are most impacted if they also have

'skip_logout_page' -> true,

Affected products

Simplesamlphp/Simplesamlphp Module CasserverGHSA
Range: < 6.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000