CVE-2025-67852 is an open redirect vulnerability identified in the OAuth login flow of Moodle, a widely used open-source learning management system. The vulnerability arises from insufficient validation of redirect parameters after successful user authentication. Specifically, when a user logs in via OAuth, the application fails to properly verify the destination URL, allowing an attacker to craft a malicious URL that redirects the user to an attacker-controlled site. This can be exploited remotely by sending specially crafted links to users, who upon clicking and authenticating, are redirected to phishing or malicious websites. The vulnerability affects multiple Moodle versions including 4.1.0, 4.4.0, 4.5.0, 5.0.0, and 5.1.0. The CVSS 3.1 base score is 3.5, reflecting low severity due to the requirement of user interaction and privileges, and limited impact on confidentiality only. No integrity or availability impacts are noted. No public exploits have been reported to date. The flaw primarily enables social engineering attacks such as phishing, potentially leading to credential theft or information disclosure if users are deceived. The vulnerability is categorized as an open redirect, a common web security issue that can undermine user trust and facilitate further attacks.

The primary impact of CVE-2025-67852 is the facilitation of phishing attacks by redirecting authenticated Moodle users to malicious external sites. This can lead to credential theft, session hijacking, or exposure to malware if users are tricked into interacting with attacker-controlled pages. Although the vulnerability does not directly compromise system integrity or availability, the indirect consequences can be significant, especially in educational environments where sensitive student and faculty data is involved. Organizations relying on affected Moodle versions risk reputational damage and potential data breaches if users fall victim to phishing campaigns leveraging this flaw. The requirement for user interaction and some privilege limits the ease of exploitation but does not eliminate risk, particularly in large user bases where targeted phishing can be effective. The lack of known exploits reduces immediate threat but vigilance is necessary. Overall, the vulnerability poses a moderate threat to confidentiality and user trust within affected organizations worldwide.

To mitigate CVE-2025-67852, organizations should immediately upgrade Moodle installations to patched versions once available. In the interim, administrators can implement strict validation of redirect URLs in the OAuth login flow, ensuring only whitelisted or internal URLs are accepted. Employing Content Security Policy (CSP) headers can help restrict navigation to trusted domains. User education on phishing risks and cautious handling of login links is critical. Monitoring logs for unusual redirect patterns or login anomalies can aid early detection of exploitation attempts. Additionally, implementing multi-factor authentication (MFA) reduces the risk of credential compromise even if phishing occurs. Security teams should review OAuth configurations and consider disabling or restricting OAuth login flows if not essential. Regular vulnerability scanning and penetration testing focused on authentication flows can help identify similar issues proactively.