CVE-2025-11222
Central Dogma's Login Function Has an Open Redirect Vulnerability
Description
### Impact Successful exploitation of this vulnerability could allow an attacker to craft a malicious link that, when clicked by a victim, redirects them to a phishing website designed to mimic the legitimate Central Dogma login page. This could result in the compromise of user accounts and unauthorized access to the Central Dogma instance. ### Patches This vulnerability is addressed and resolved in Central Dogma version 0.78.0. The server operators who run Central Dogma server with Shiro authentication are strongly encouraged to upgrade to this version or later to mitigate the risk associated with the open redirect vulnerability. ### Workarounds Implement `AuthProvider` to overrides `webLoginService()`. ### References - https://cwe.mitre.org/data/definitions/601.html
How to fix CVE-2025-11222
To remediate CVE-2025-11222, upgrade the affected package to a fixed version below.
- —upgrade to 0.78.0 or later
Is CVE-2025-11222 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.78.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |