CVE-2025-8737 is an open redirect vulnerability identified in the zlt2000 microservices-platform version 6.0.0 and earlier. The vulnerability resides in the onLogoutSuccess function within the OauthLogoutSuccessHandler.java source file. Specifically, the issue arises from improper validation or sanitization of the redirect_url parameter, which an attacker can manipulate to redirect users to arbitrary external URLs after logout. This vulnerability is remotely exploitable without requiring authentication, although it does require user interaction (i.e., the user must follow a crafted link). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact on confidentiality is none, integrity is low, and availability is none. The vulnerability does not affect system components beyond the redirect behavior, but it can be leveraged in phishing or social engineering attacks to trick users into visiting malicious sites under the guise of a trusted platform. The exploit has been publicly disclosed but no known exploits in the wild have been reported yet. The vulnerability affects the logout success handler, which is a critical part of user session management in the microservices platform, potentially undermining user trust and session security if exploited.

For European organizations using the zlt2000 microservices-platform, this vulnerability could facilitate phishing attacks by redirecting users to malicious websites after logout, potentially leading to credential theft, malware infection, or further social engineering exploits. While the vulnerability itself does not directly compromise system confidentiality or availability, it undermines user trust and can be a stepping stone for more sophisticated attacks. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and government, may face reputational damage and compliance issues if user sessions are manipulated. Additionally, since the platform is microservices-based, the vulnerability could affect distributed applications that rely on centralized authentication and logout mechanisms, increasing the attack surface. The medium severity rating suggests that while the immediate technical impact is limited, the indirect consequences through user deception and potential data exposure are significant, especially in environments with sensitive data or critical services.

To mitigate this vulnerability, organizations should implement strict validation and sanitization of the redirect_url parameter to ensure it only allows redirection to trusted internal URLs or domains. Employing a whitelist approach for redirect destinations is recommended. Additionally, updating the zlt2000 microservices-platform to a patched version once available is critical. In the absence of an official patch, organizations can implement web application firewall (WAF) rules to detect and block suspicious redirect_url parameters. User education on phishing risks and monitoring logout-related logs for unusual redirect patterns can also help detect exploitation attempts. Furthermore, implementing Content Security Policy (CSP) headers and secure logout workflows that do not rely on user-supplied redirect parameters can reduce risk. Finally, integrating multi-factor authentication (MFA) and session management best practices can limit the impact of any successful redirection-based attacks.