CVE-2025-58044

moderate-risk

Published 2025-12-01

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5.

Do I need to act?

1.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Jumpserver

Affected Vendors

Fit2Cloud

References (2)

Patch https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d1...

Patch https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 4/34 · Minimal

Exposure 5/34 · Minimal