CVE-2025-54066 is an open redirect vulnerability (CWE-601) found in the DIRACGrid project’s web application, diracx-web, specifically in versions prior to 0.1.0-a8. DiracX-Web serves as an interface to interact with DiracX services. The vulnerability arises from the login page's handling of a 'redirect' parameter, which specifies the URI to which the user will be redirected after authentication. This parameter is not properly validated or sanitized, allowing an attacker to craft a malicious URL that redirects authenticated users to arbitrary external websites. Furthermore, the vulnerability can be exacerbated by parameter pollution techniques, which can obfuscate the malicious redirect URI, making detection and prevention more difficult. Exploiting this flaw, an attacker could redirect users to phishing sites that mimic legitimate login pages, potentially harvesting additional credentials or sensitive information. The vulnerability does not require authentication to exploit but does require user interaction (clicking on a crafted link). The CVSS v3.1 base score is 4.7 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality only. The vulnerability does not affect integrity or availability. The issue was addressed in version 0.1.0-a8 by implementing proper validation of the redirect URI to prevent arbitrary redirection.

For European organizations using diracx-web versions prior to 0.1.0-a8, this vulnerability poses a moderate risk primarily related to phishing and social engineering attacks. Attackers could exploit the open redirect to lure authenticated users into visiting malicious sites that appear trustworthy, potentially leading to credential theft or session hijacking. While the vulnerability itself does not directly compromise system integrity or availability, successful phishing attacks could lead to broader security incidents, including unauthorized access or data breaches. Organizations in sectors with high security requirements, such as finance, healthcare, and critical infrastructure, may face increased risk if attackers leverage this vulnerability as part of multi-stage attacks. Additionally, the use of parameter pollution to hide malicious URLs complicates detection and mitigation efforts. Given the medium CVSS score and the nature of the vulnerability, the direct technical impact is limited, but the indirect consequences through social engineering could be significant.

European organizations should immediately upgrade diracx-web to version 0.1.0-a8 or later, where the vulnerability is fixed by validating and restricting the redirect URI parameter. Until the upgrade is applied, organizations should implement the following mitigations: 1) Employ web application firewalls (WAFs) with rules to detect and block suspicious redirect parameters and parameter pollution attempts targeting diracx-web endpoints. 2) Conduct user awareness training focusing on phishing risks, emphasizing caution when clicking on unexpected or suspicious links, especially those involving authentication workflows. 3) Implement strict Content Security Policy (CSP) headers to restrict the domains to which users can be redirected or loaded from, reducing the risk of malicious redirection. 4) Monitor web server logs for unusual redirect parameter usage patterns and investigate anomalies promptly. 5) If feasible, temporarily disable or restrict the use of the redirect parameter in the application configuration or via custom patches until the official fix is deployed. These targeted actions go beyond generic advice by focusing on the specific vulnerability mechanics and attack vectors.