Miggo Logo
Miggo Vulnerability Database
CVE-2025-4210

CVE-2025-4210: Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-4210
GHSA ID
GHSA-8w8f-h4cm-c4pg
EPSS Score
0.18283%
CWE
CWE-285
Published
5/2/2025
Updated
5/6/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/casdoor/casdoorgo< 1.812.01.812.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description and the commit patch clearly identify HandleScim in controllers/scim.go as the vulnerable function. The patch adds an authorization check (c.RequireAdmin()) which was previously missing, leading to an authorization bypass. The function signature includes the receiver type (*RootController) which is standard for Go methods and would likely appear in runtime profiles. The evidence from the patch directly supports this conclusion by showing the exact lines of code added to mitigate the vulnerability within this function. The confidence is high due to the direct correlation between the vulnerability report, the function name, the file path, and the nature of the code change in the patch (addition of an authorization check).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s *riti**l w*s *oun* in **s*oor up to *.***.*. T*is vuln*r**ility *****ts t** *un*tion **n*l*S*im o* t** *il* *ontroll*rs/s*im.*o o* t** *ompon*nt S*IM Us*r *r**tion *n*point. T** m*nipul*tion l***s to *ut*oriz*tion *yp*ss

Reasoning

T** vuln*r**ility **s*ription *n* t** *ommit p*t** *l**rly i**nti*y `**n*l*S*im` in `*ontroll*rs/s*im.*o` *s t** vuln*r**l* *un*tion. T** p*t** ***s *n *ut*oriz*tion ****k (`*.R*quir***min()`) w*i** w*s pr*viously missin*, l***in* to *n *ut*oriz*tion