CVE-2025-61524
HIGH7.2EPSS 0.11%Casdoor is vulnerable to Improper Authorization
Published: 10/8/2025Modified: 11/5/2025
Description
An issue in the permission verification module and organization/application editing interface in Casdoor before 2.63.0 allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login.
Affected packages (2)
- Go/github.com/casdoor/casdoorfrom 0, < 2.63.0
- Go/github.com/casdoor/casdoorfrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-5m9m-j5p7-m7f9
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-61524
- PATCHhttps://github.com/casdoor/casdoor
- WEBhttp://casdoor.com
- WEBhttps://gist.github.com/DevHjz/e75cea851d48e5f5478ac2a90757851a
- WEBhttps://github.com/casdoor/casdoor/commit/d883db907bb6e0b95737ef8e8b57b7da9078cbdd
- WEBhttps://github.com/casdoor/casdoor/releases/tag/v2.63.0