On 2025-10-23 a Cross-Site Request Forgery (CSRF) weakness was reported in Casdoor v2.95.0 (release date 2025-10-22). The vulnerable endpoint (/api/set-password) could be invoked in the context of an authenticated user to change that user’s password without requiring the user’s current password. The issue is referenced as CVE-2023-34927 in the report (note: the listing or assignment may still be finalized).
Put plainly: if a user is logged into a Casdoor instance and later visits a malicious page or link, that page can submit a request which changes the victim’s password, enabling account takeover or the creation of an account with attacker-chosen credentials.
Why this matters
- Password changes that don’t require the user’s current password are high impact when combined with CSRF.
- Many admins and service accounts use meaningful names (e.g., admin or built-in); if such identities are targeted, the attacker can gain persistent access.
- Because Casdoor is an identity provider, compromise can cascade to services that trust it (SSO sessions, integrated apps).
Affected versions
- Confirmed: Casdoor v2.95.0 and earlier (per the report).
- Any publicly reachable Casdoor instance running an affected release is at risk.
What an attacker can do
- Force a logged-in user to have their password changed, then log in as that user.
- Create or alter accounts if the endpoint accepts parameters enabling that behavior.
- Pivot from a compromised application account into systems that rely on Casdoor for authentication (SSO integrations).
Detection — what to look for
- Unexpected POST requests to /api/set-password in access logs where the Referer header comes from an external origin.
- Rapid or unexplained password change events for admin/service accounts.
- New logins from unfamiliar IPs immediately after a password-change event.
- Web server logs showing form submissions or requests to /api/set-password without corresponding UI flows in your monitoring/telemetry.
- Unexpected account creations or modifications around the same time window.
Immediate mitigation (short term)
If you cannot patch immediately, apply one or more of these mitigations right away:
- Require current password for password changes — change server logic so /api/set-password only accepts requests that include the account’s existing password (or a valid token from a prior verified flow).
- Enable/require CSRF protection — validate a per-session CSRF token on all state-changing endpoints.
- Set cookies to SameSite=Strict or Lax where appropriate to reduce cross-site POSTs.
- Restrict access to the admin API — firewall rules, IP allow-lists, or placing Casdoor behind a VPN for administrative interfaces.
- Short-term ACL — if possible, restrict /api/set-password to authenticated API clients (e.g., require an Authorization header signed by the client).
- Enable MFA for privileged accounts so password changes alone are not sufficient to take over sensitive accounts.
- Invite user action — force a password reset for high-risk or admin accounts and notify owners of the incident.
Long-term fixes (recommended)
- Enforce CSRF tokens across all POST, PUT, DELETE endpoints and validate origin/host headers where possible.
- Require proof of knowledge (current password) or out-of-band confirmation (email/SMS) for sensitive account changes.
- Harden session management (shorter session lifetimes, detect anomalous session usage).
- Add explicit headers checks (Origin/Referer) logic as part of CSRF mitigation — but don’t rely on them as the only control.
- Add automated behavioral alerts for “password change followed by login from new IP” events.
Incident response checklist (if you suspect exploitation)
- Identify affected accounts and immediately reset credentials for high-privilege accounts.
- Check logs for suspicious requests to /api/set-password and follow the access trail (timestamps, IPs, user agents).
- Force logout of user sessions and rotate any API tokens or client secrets that may have been exposed.
- Enable MFA and require re-verification for administrative users.
- Restore from backups only if you detect further malicious persistence (webshells, modified binaries).
- Notify impacted users and stakeholders with remediation steps (change passwords, review sessions).
- Patch the application and any dependent libraries; validate the patch in a staging environment before full rollout.