CVE-2025-23113

Name of the Vulnerable Software and Affected Versions REDCap version 14.9.6

Description An issue was discovered in REDCap, which has a CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, they automatically land on a page to view the uploaded data. If the victim clicks on the alert-title value, it can trigger a logout request and terminate their session, or redirect to a phishing website. This issue stems from the absence of CSRF protections on the logout functionality.

Recommendations For REDCap version 14.9.6, as a temporary workaround, consider disabling the logout functionality until a patch is available. Restrict access to the alert-title value to minimize the risk of exploitation. Avoid using the action=myprojects&logout=1 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.