cbcvebase.
CVE-2025-4210
published 2025-05-02

CVE-2025-4210: A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go…

PriorityP277high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.81%
76.0th percentile
A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component.

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comcasdoor_casdoor>= 0 < 1.812.01.812.0

Detection & IOCsextracted from sources · hover to see the quote

url/scim/v2/Users
url/api/scim/v2/Users
pathcontrollers/scim.go
  • Unauthenticated GET request to /scim/v2/Users or /api/scim/v2/Users returning HTTP 200 with SCIM JSON body indicates successful authorization bypass
  • Response Content-Type header of 'application/scim+json' or 'application/json' combined with body keywords 'schemas', 'totalResults', 'Resources', 'givenName' on the SCIM endpoint confirms exploitation
  • Vulnerable versions are Casdoor up to and including 1.811.0; patched in 1.812.0 via commit 3d12ac8dc2282369296c3386815c00a06c6a92fe in HandleScim function
  • ·The Nuclei template uses stop-at-first-match across both SCIM endpoint paths, so only the first responding path is evaluated; both /scim/v2/Users and /api/scim/v2/Users should be tested independently in custom tooling
  • ·The template requires max-requests of 2 (one per path variant), meaning detection probes are limited and a non-200 on the first path will fall through to the second

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.