CVE-2025-10229 is an open redirect vulnerability identified in Freshwork versions up to and including 1.2.3. The vulnerability resides in the /api/v2/logout endpoint, specifically in the handling of the post_logout_redirect_uri parameter. An attacker can manipulate this parameter to redirect users to arbitrary external URLs after logout, potentially leading to phishing attacks, session hijacking, or other social engineering exploits. The vulnerability is remotely exploitable without requiring authentication or privileges, and user interaction is necessary to trigger the redirect. The CVSS v4.0 base score is 5.3, indicating a medium severity level. The vendor has been notified but did not respond, and an upgrade to version 1.2.3 is advised to remediate the issue. No known exploits are currently reported in the wild. The vulnerability does not impact confidentiality or availability directly but can affect user trust and integrity of user sessions by facilitating redirection to malicious sites.

For European organizations using Freshwork, this vulnerability poses a moderate risk primarily in the form of social engineering and phishing attacks. Attackers could exploit the open redirect to craft URLs that appear legitimate but redirect users to malicious websites, potentially leading to credential theft or malware infection. This can undermine user trust in the affected service and may lead to reputational damage, especially for organizations handling sensitive customer data or regulated industries such as finance, healthcare, or government. While the vulnerability does not directly compromise system confidentiality or availability, the indirect consequences of successful phishing campaigns can be severe. Additionally, compliance with GDPR and other data protection regulations may be impacted if user data is compromised following exploitation.

European organizations should immediately upgrade Freshwork to version 1.2.3 or later, where the vulnerability is fixed. Until the upgrade is applied, organizations should implement strict input validation and sanitization on the post_logout_redirect_uri parameter to ensure only trusted URLs are accepted. Employing a whitelist of allowed redirect domains can prevent arbitrary redirection. Additionally, security teams should monitor logs for suspicious logout redirect requests and educate users about the risks of clicking on unexpected links, especially those related to logout or session termination. Implementing web application firewalls (WAFs) with rules to detect and block open redirect attempts targeting this endpoint can provide an additional layer of defense. Finally, organizations should review their phishing detection and response capabilities to mitigate potential social engineering attacks leveraging this vulnerability.