CVE-2025-4210: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-4210) was discovered in Casdoor versions up to 1.811.0 on May 2, 2025. The vulnerability affects the HandleScim function in the controllers/scim.go file, specifically in the SCIM User Creation Endpoint component. This security flaw allows remote attackers to bypass authorization controls (VulDB, GitHub Commit).

The vulnerability is related to an authorization bypass in the SCIM User Creation Endpoint. The endpoint lacks proper authentication middleware, allowing unauthenticated attackers to create admin accounts. The vulnerability has received a CVSS v3.1 Base Score of 7.3 (HIGH) and is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-285 (Improper Authorization) (VulDB).

The vulnerability affects the confidentiality, integrity, and availability of the system. An attacker can create unauthorized admin accounts without authentication, potentially gaining full administrative access to the Casdoor system (VulDB).

The vulnerability has been fixed in Casdoor version 1.812.0. The fix was implemented through patch 3d12ac8dc2282369296c3386815c00a06c6a92fe. Organizations using affected versions should immediately upgrade to version 1.812.0 or later (GitHub Release, VulDB).

According to security researchers, attempts to responsibly disclose the vulnerability were met with resistance. The developers reportedly issued a silent fix and responded to Discord communications by removing the reporter from their channel (VulDB Submit).