Login Sign Up

CVE-2025-67852

3.5 LOW
Authentication Bypass Open Redirect

📋 TL;DR

An open redirect vulnerability in Moodle's OAuth login flow allows attackers to redirect authenticated users to malicious websites. This affects all Moodle instances using OAuth authentication. Users could be tricked into visiting phishing sites after legitimate login.

💻 Affected Systems

Products:
  • Moodle
Versions: Specific affected versions not specified in CVE description
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Moodle instances with OAuth authentication enabled

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users redirected to sophisticated phishing sites that steal credentials or install malware, leading to account compromise and potential data breaches.

🟠

Likely Case

Users redirected to phishing pages attempting to harvest login credentials or personal information.

🟢

If Mitigated

Users redirected to benign but unexpected external sites, causing confusion but no direct harm.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is technically simple once the vulnerability is understood

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Moodle security advisories for specific patched versions

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-67852

Restart Required: No

Instructions:

1. Check Moodle security advisories for patched version. 2. Update Moodle to patched version. 3. Verify OAuth redirect validation is properly implemented.

🔧 Temporary Workarounds

Disable OAuth authentication

all

Temporarily disable OAuth authentication until patch is applied

Edit Moodle configuration to disable OAuth plugins

Implement redirect validation

all

Add server-side validation to ensure redirect URLs are within allowed domains

Implement whitelist validation for redirect URLs in OAuth flow

🧯 If You Can't Patch

  • Implement web application firewall rules to detect and block suspicious redirect patterns
  • Educate users about phishing risks and verify URLs before entering credentials

🔍 How to Verify

Check if Vulnerable:

Test OAuth login flow with crafted redirect URLs to external domains

Check Version:

Check Moodle version in administration panel or via moodle_version table

Verify Fix Applied:

Verify that OAuth redirects only go to approved domains after patch

📡 Detection & Monitoring

Log Indicators:

  • Unusual redirect patterns in authentication logs
  • OAuth requests with external redirect URLs

Network Indicators:

  • HTTP 302 redirects to unexpected external domains after authentication

SIEM Query:

Search for authentication events followed by redirects to non-whitelisted domains

📊 Metadata

CVE ID: CVE-2025-67852
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE: CWE-601
EPSS Score: 0.01% exploit probability (1.6th percentile)
Published: February 3, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67852, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)