CVE-2025-50199
Blind SSRF in Chamilo /index.php via openid_url Parameter
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50199 is a high-severity unauthenticated Blind Server-Side Request Forgery (SSRF) vulnerability in Chamilo LMS versions up to 1.11.28. It occurs in the OpenID module via the POST parameter openid_url in /index.php.
The vulnerability arises because the application does not properly validate the destination address before making HTTP requests, allowing an attacker to send crafted requests that cause the server to connect to arbitrary external or internal network addresses.
This can be exploited remotely without any privileges or user interaction, enabling the attacker to perform actions such as internal network reconnaissance, port scanning, and attacks on external servers while hiding their origin.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to disclose sensitive data, perform denial of service attacks, and conduct internal network reconnaissance or port/service scanning.
Attackers can also use the vulnerable server to attack external servers while hiding their own origin, potentially implicating your system in malicious activities.
Although the vulnerability affects confidentiality of subsequent systems, it does not directly affect the integrity or availability of the vulnerable Chamilo LMS system itself.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or crafted HTTP POST requests targeting the /index.php endpoint with the openid_url parameter. Since exploitation involves sending specially crafted POST requests to this parameter, inspecting web server logs or using network monitoring tools to identify such requests can help detect attempts.'}, {'type': 'paragraph', 'content': 'You can use tools like curl or wget to simulate such requests for testing purposes. For example, a command to test the vulnerability might look like:'}, {'type': 'list_item', 'content': 'curl -X POST -d "openid_url=http://example.com" https://your-chamilo-instance/index.php'}, {'type': 'paragraph', 'content': 'Additionally, network intrusion detection systems (NIDS) can be configured to alert on outbound requests initiated by the server to unexpected internal or external addresses triggered by such POST requests.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.
- Implement strict input validation on the openid_url parameter to ensure only approved IP addresses, domain names, and URLs are accepted.
- Enforce whitelist-based access control to restrict outgoing requests to approved addresses and ports, avoiding blacklists.
- Disable HTTP redirection to prevent attackers from bypassing validation.
- Limit requests to HTTP and HTTPS protocols only, blocking insecure schemes such as file:// or ftp://.