CVE-2025-23113 identifies a CSRF vulnerability in Vanderbilt REDCap version 14.9.6, specifically affecting the logout functionality. REDCap is a widely used research electronic data capture tool. The vulnerability is triggered when an attacker crafts a CSV file containing an HTML injection payload embedded in the alert-title field of alert configurations. When a victim uploads this CSV file, they are taken to a page displaying the uploaded data. If the victim clicks on the malicious alert-title, the embedded payload triggers a logout request (action=myprojects&logout=1) without proper CSRF protections, terminating the user's session. Alternatively, the payload can redirect the user to a phishing website. The root cause is the absence of CSRF tokens or other anti-CSRF mechanisms on the logout endpoint. The attack requires user interaction (clicking the injected alert-title) and does not require prior authentication or elevated privileges. The vulnerability is rated with a CVSS 3.1 score of 3.4 (low severity), reflecting limited impact on confidentiality and availability, and the need for user interaction and high attack complexity. No patches or exploits are currently documented, but the vulnerability could be leveraged to disrupt user sessions or facilitate social engineering attacks.

The primary impact of this vulnerability is session termination through forced logout, which can disrupt ongoing research activities and data entry in REDCap. Additionally, the ability to redirect users to phishing websites poses a risk of credential theft or further compromise through social engineering. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the forced logout can cause denial of service to legitimate users. Organizations relying heavily on REDCap for clinical or research data collection may experience operational interruptions. The phishing redirect vector could be exploited to target users with tailored attacks, potentially leading to broader security incidents. Since exploitation requires user interaction, the risk is somewhat mitigated, but targeted attacks against research staff or administrators remain a concern. The absence of known exploits suggests limited current threat activity, but the vulnerability should be addressed promptly to prevent future abuse.

Organizations should implement CSRF protections on all state-changing endpoints, especially the logout functionality, by incorporating anti-CSRF tokens or same-site cookie attributes. Until an official patch is released, administrators should restrict CSV file uploads to trusted users and validate or sanitize alert-title inputs to prevent HTML injection. User training should emphasize caution when interacting with uploaded data, particularly clicking on alert titles or links from untrusted sources. Monitoring and logging of logout events can help detect abnormal session terminations. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the logout endpoint. Additionally, organizations should keep REDCap installations updated and subscribe to vendor advisories for timely patch deployment once available. Implementing multi-factor authentication (MFA) can reduce the impact of phishing redirects by protecting user credentials.