CVE-2025-64754 is a security vulnerability classified as CWE-601 (Open Redirect) found in the open-source video conferencing application jitsi-meet, specifically in versions prior to 2.0.10532. The flaw allows an attacker to manipulate the OAuth authentication window used for Microsoft accounts by redirecting the user to an untrusted external URL. This hijacking occurs because the application does not properly validate or restrict the redirect URIs during the OAuth flow, enabling an attacker to craft a malicious URL that appears legitimate but leads users to phishing or malicious sites. Exploiting this vulnerability does not require any privileges, user interaction, or authentication, and the attack vector is network-based. The CVSS 4.0 base score is 2.7, reflecting low severity due to limited impact on confidentiality and integrity, and no effect on availability. The vulnerability was publicly disclosed on November 13, 2025, and fixed in version 2.0.10532 of jitsi-meet. No known exploits have been reported in the wild, and no workarounds exist other than upgrading. The vulnerability primarily threatens the confidentiality of user credentials by potentially exposing OAuth tokens or enabling phishing attacks during the authentication process. Since jitsi-meet is widely used for video conferencing, especially in remote work and collaboration scenarios, this vulnerability could be leveraged to compromise user accounts if exploited.

For European organizations, the impact of CVE-2025-64754 is primarily related to the confidentiality of user credentials and session tokens during Microsoft OAuth authentication in jitsi-meet. Successful exploitation could lead to credential theft or session hijacking, enabling attackers to impersonate users or gain unauthorized access to corporate resources tied to Microsoft accounts. This risk is heightened in organizations heavily reliant on Microsoft 365 services integrated with jitsi-meet for collaboration. However, the vulnerability does not affect system integrity or availability, limiting the scope of damage. The low CVSS score and absence of known exploits suggest a low immediate threat, but the potential for phishing and account compromise remains a concern. European entities with strict data protection regulations (e.g., GDPR) must consider the confidentiality risk seriously, as credential compromise could lead to data breaches and regulatory penalties. The threat is more significant in sectors with high usage of jitsi-meet and Microsoft OAuth, such as education, government, and enterprises adopting remote work technologies.

The primary mitigation for CVE-2025-64754 is to upgrade all jitsi-meet deployments to version 2.0.10532 or later, where the open redirect vulnerability has been fixed. Organizations should audit their current jitsi-meet versions and prioritize patching vulnerable instances. Additionally, administrators should review and enforce strict validation of OAuth redirect URIs to ensure only trusted domains are allowed, minimizing the risk of redirection to malicious sites. Implementing multi-factor authentication (MFA) on Microsoft accounts can reduce the impact of credential theft. Monitoring OAuth authentication logs for unusual redirect patterns or failed login attempts can help detect exploitation attempts. User awareness training about phishing risks related to OAuth redirection should be conducted. Network-level protections such as web filtering and URL reputation services can block access to known malicious redirect destinations. Finally, organizations should maintain an incident response plan to quickly address any suspected compromise stemming from this vulnerability.