CVE-2025-54066
📋 TL;DR
This vulnerability in DiracX-Web allows attackers to redirect authenticated users to malicious websites through an unvalidated redirect parameter. Attackers can exploit parameter pollution to hide malicious URLs, potentially leading to phishing attacks and credential theft. All users of DiracX-Web versions before 0.1.0-a8 are affected.
💻 Affected Systems
- DiracX-Web
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers successfully phish user credentials, gain unauthorized access to sensitive systems, and potentially compromise the entire DiracX infrastructure.
Likely Case
Users are redirected to phishing sites that steal credentials, leading to unauthorized access to individual accounts and potential data exposure.
If Mitigated
Users are redirected to suspicious URLs but security training and multi-factor authentication prevent successful credential theft.
🎯 Exploit Status
Exploitation requires the attacker to craft a malicious URL and trick an authenticated user into clicking it. Parameter pollution techniques make detection more difficult.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.0-a8
Vendor Advisory: https://github.com/DIRACGrid/diracx-web/security/advisories/GHSA-hfj7-542q-8fvv
Restart Required: Yes
Instructions:
1. Update DiracX-Web to version 0.1.0-a8 or later. 2. Restart the DiracX-Web service. 3. Verify the fix by testing redirect functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to only allow redirects to trusted domains
Implement redirect URL validation in application code to check domain whitelist
WAF Rule
allConfigure web application firewall to block requests with suspicious redirect parameters
Add WAF rule to detect and block requests with external URLs in redirect parameter
🧯 If You Can't Patch
- Implement strict input validation for all redirect parameters to only allow internal URLs
- Deploy web application firewall with rules to detect and block open redirect attempts
🔍 How to Verify
Check if Vulnerable:
Test if the login page accepts external URLs in the redirect parameter without validationCheck Version:
Check DiracX-Web version in application interface or configuration filesVerify Fix Applied:
Attempt to use external URLs in the redirect parameter and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- HTTP requests with external domains in redirect parameter
- Multiple failed login attempts followed by redirects to unusual domains
Network Indicators:
- Outbound connections to suspicious domains following login requests
- Unusual redirect patterns in HTTP traffic
SIEM Query:
source="diracx-web" AND (url:*redirect=*http* OR url:*redirect=*https*) AND NOT url:*redirect=*trusted-domain*🔗 References
- https://diracx-cert.app.cern.ch/auth?redirect=https://ipcim.com/en/where/?dsdsd=qsqsfsjfnsfniizaeiaapzqlalkqkaizqqijsjaopmqmxna?redirect=https://diracx-cert-app.cern.ch/auth
- https://github.com/DIRACGrid/diracx-web/commit/eba3b7bc4f9d394074215986e6d3c15b546b25d5
- https://github.com/DIRACGrid/diracx-web/security/advisories/GHSA-hfj7-542q-8fvv
