CVE-2025-61782
Open Redirect in OpenCTI SAML Endpoint Enables Phishing
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencti | opencti | to 6.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61782 is an open redirect vulnerability in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback) prior to version 6.8.3. The vulnerability arises because the RelayState parameter, which controls the URL to which users are redirected after authentication, is not properly validated or sanitized. An attacker can manipulate this parameter to cause the server to redirect users to any external URL, potentially leading to phishing, credential theft, and arbitrary site redirection. The vulnerability was fixed by introducing a sanitization function that ensures redirects only occur within the trusted domain. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect users from the trusted OpenCTI platform to malicious external websites. This can facilitate phishing attacks, credential theft, arbitrary site redirection, and potentially malware distribution. Exploitation undermines trust in the authentication process and can lead to compromised user credentials or tokens, reputational damage, and increased risk of social engineering attacks. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
Exploitation of this vulnerability can lead to credential theft and unauthorized access to user information, which may result in violations of data protection regulations such as GDPR and HIPAA. The resulting data breaches or unauthorized disclosures could cause non-compliance with these standards, leading to legal and financial consequences. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP 302 redirects issued by the OpenCTI platform's /auth/saml/callback endpoint that redirect users to external URLs not belonging to the trusted domain. Look for suspicious RelayState parameter values causing redirects to external domains. Additionally, check logs for informational messages about altered or invalid referer URLs during authentication callbacks, as the patched version logs such events. Specific commands are not provided, but you can use network monitoring tools (e.g., tcpdump, Wireshark) or web server access logs to identify unexpected redirects from the /auth/saml/callback endpoint to external URLs. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the OpenCTI platform to version 6.8.3 or later, where the issue has been patched by sanitizing and validating the RelayState parameter to prevent open redirects. Until the upgrade is applied, restrict access to the /auth/saml/callback endpoint if possible, monitor for suspicious redirects, and educate users about potential phishing risks stemming from manipulated redirects. [1, 2]