CVE-2025-12789 Severity Moderate (6.1) Description A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL. Statement Red Hat Single Sign-On is on end of life. This affects only 7.3.33 and previous versions. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Additional Information Bugzilla 2413001: rhso: Open Redirect CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Affected Packages and Issued Red Hat Security Errata CVSS v3 Score Breakdown Understanding the Weakness (CWE) CWE-601 Access Control Technical Impact: Bypass Protection Mechanism; Gain Privileges or Assume Identity The user may be redirected to an untrusted page that contains malware which may then compromise the user's system. In some cases, an open redirect can also enable the immediate download of a file without the user's permission, because the redirection to an external site may lead to endpoints on those sites that automatically trigger a download action ("drive-by download"). Access Control, Confidentiality, Other Technical Impact: Bypass Protection Mechanism; Gain Privileges or Assume Identity; Other By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam. The user may be subjected to phishing attacks by being redirected to an untrusted page. Acknowledgements Red Hat would like to thank Edcarlos Junior for reporting this issue.