CVE-2025-61524: 
vulnerability analysis and mitigation

An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login (NVD, Casdoor Commit).

The vulnerability exists due to Casdoor only controlling access rights at the front-end interface level while lacking strict permission checking at the back-end interface level. The system fails to perform secondary verification of organizational rights when processing application configuration saving requests. This allows attackers to bypass front-end restrictions by constructing URLs directly to obtain unauthorized access. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Security Advisory).

The vulnerability can lead to multiple severe impacts: 1) Denial-of-service attacks by clearing configurations of any application, preventing user logins, 2) Privilege escalation by modifying universal passwords of other organizations, enabling access to any account including system administrator accounts, 3) Information leakage and hijacking through modification of OAuth client credentials and redirect URLs (Security Advisory).

The vulnerability has been fixed in Casdoor version 2.63.0. Organizations running affected versions should immediately upgrade to version 2.63.0 or later. The fix includes improvements to the authorization filter system to properly verify permissions at both frontend and backend levels (Casdoor Release).