PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-65954 simplesamlphp CVE debrief

CVE-2025-65954 affects SimpleSAMLphp-casserver, a CAS 1.0/2.0 compliant CAS server module for SimpleSAMLphp. In affected versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter and treats it as trusted. Depending on configuration, the browser is redirected to that URL or shown a logout page with a follow-on link. The issue is fixed in versions 6.3.1 and 7.0.0.

Vendor
simplesamlphp
Product
simplesamlphp-module-casserver
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-18
Advisory published
2026-05-18
Advisory updated
2026-05-18

Who should care

Administrators and operators running SimpleSAMLphp-casserver, especially installations with enable_logout set to true and skip_logout_page set to true. Security teams should also review any application or identity workflow that exposes the logout endpoint to end users.

Technical summary

The vulnerability is an open redirect / trusted-redirect issue in the logout endpoint. The source advisory and NVD record indicate the endpoint accepts a url parameter and does not sufficiently constrain where that value may point, creating CWE-601 behavior. The supplied CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) reflects a network-reachable issue requiring user interaction and primarily affecting integrity through redirect abuse.

Defensive priority

Medium. This is not a code-execution flaw, but it can still be used to mislead users and weaken trust in authentication or logout flows. Patch priority is moderate-to-high for any internet-facing or user-facing deployment.

Recommended defensive actions

  • Upgrade SimpleSAMLphp-casserver to version 6.3.1 or later, or 7.0.0 or later, as applicable to your deployment line.
  • Review logout behavior and confirm the endpoint does not accept arbitrary redirect destinations in production.
  • If you cannot patch immediately, disable or minimize the impacted logout configuration paths where feasible, especially enable_logout and skip_logout_page combinations.
  • Audit external links or bookmarks that point to the logout endpoint and ensure users are not being sent through unsafe redirect chains.
  • Validate the fix after upgrading by testing that logout only returns users to approved destinations.

Evidence notes

All substantive claims here are drawn from the supplied NVD record and GitHub Security Advisory references. The source corpus states that SimpleSAMLphp-casserver versions below 6.3.1 and 7.0.0 are affected, that the logout endpoint trusts a url query parameter, and that the issue is resolved in 6.3.1 and 7.0.0. The NVD entry lists CWE-601 and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. No exploit details are included beyond the described behavior.

Official resources

The supplied CVE record was published on 2026-05-18 and last modified on 2026-05-18. The source corpus does not indicate KEV inclusion.