Chamilo LMS, an open-source learning management system, contains a critical SSRF vulnerability identified as CVE-2025-50199 (CWE-918) in versions prior to 1.11.30. The flaw resides in the /index.php script, specifically in the handling of the POST parameter openid_url. An attacker can supply a crafted URL in this parameter, causing the server to perform HTTP requests to arbitrary destinations. Because this is a blind SSRF, the attacker does not receive direct response data but can infer success through side channels or subsequent behavior. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The SSRF can be leveraged to access internal resources behind firewalls, potentially exposing sensitive data or enabling further attacks such as internal port scanning, exploitation of internal services, or pivoting within the network. The vulnerability has been assigned a CVSS 4.0 score of 7.7, reflecting high severity due to its network attack vector, lack of required privileges, and potential impact on confidentiality and integrity. Chamilo LMS version 1.11.30 includes a patch that properly validates or restricts the openid_url parameter to prevent SSRF. No public exploits have been reported yet, but the widespread use of Chamilo in educational institutions and organizations makes timely patching critical.

The SSRF vulnerability in Chamilo LMS can have significant impacts on organizations worldwide, especially those using vulnerable versions in production environments. Exploitation can allow attackers to bypass network perimeter defenses by making the server initiate requests to internal systems, potentially exposing sensitive internal services, databases, or administrative interfaces. This can lead to data breaches, unauthorized access, or lateral movement within the network. Educational institutions and enterprises relying on Chamilo for e-learning may face disruption of services, loss of confidentiality of student or staff data, and reputational damage. Additionally, SSRF can be a stepping stone for more complex attacks, including server compromise or supply chain attacks if internal infrastructure is accessed. The fact that no authentication or user interaction is required increases the risk of automated exploitation attempts. Although no known exploits are currently reported, the high CVSS score and ease of exploitation make this a critical risk that should be addressed promptly.

Organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where the SSRF vulnerability is patched. If upgrading is not immediately feasible, administrators should implement strict input validation and sanitization on the openid_url parameter to restrict it to trusted domains or disable the affected functionality if possible. Network-level mitigations include implementing egress filtering to prevent the LMS server from making unauthorized outbound requests to internal or sensitive IP ranges. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SSRF payloads targeting openid_url can provide temporary protection. Regularly monitor logs for unusual outbound requests originating from the LMS server. Conduct internal network segmentation to limit the impact of SSRF exploitation and restrict access to critical internal services. Finally, maintain an up-to-date inventory of Chamilo LMS deployments and ensure patch management processes are robust to quickly address future vulnerabilities.