cvelistv5 - cve-2025-27773

CVE-2025-27773 (GCVE-0-2025-27773)

Vulnerability from cvelistv5

Published

2025-03-11 19:04

Modified

2025-05-09 20:03

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Summary

The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
	af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html

Impacted products

	Vendor	Product	Version
	simplesamlphp	saml2	Version: < 4.17.0 Version: >= 5.0.0-alpha.1, < 5.0.0-alpha.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27773",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-11T19:26:31.017558Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-11T19:27:00.852Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-09T20:03:38.107Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "saml2",
          "vendor": "simplesamlphp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.17.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-alpha.1, \u003c 5.0.0-alpha.20"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-11T19:04:52.135Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"
        },
        {
          "name": "https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"
        },
        {
          "name": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"
        },
        {
          "name": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"
        }
      ],
      "source": {
        "advisory": "GHSA-46r4-f8gj-xg56",
        "discovery": "UNKNOWN"
      },
      "title": "SimpleSAMLphp SAML2 library has incorrect signature verification for HTTP-Redirect binding"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27773",
    "datePublished": "2025-03-11T19:04:52.135Z",
    "dateReserved": "2025-03-06T18:06:54.460Z",
    "dateUpdated": "2025-05-09T20:03:38.107Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27773\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-11T19:15:43.677\",\"lastModified\":\"2025-05-09T20:15:38.887\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"La librer\u00eda SimpleSAMLphp SAML2 es una librer\u00eda PHP para funcionalidades relacionadas con SAML2. En versiones anteriores a la 4.17.0 y la 5.0.0-alpha.20, exist\u00eda un ataque de confusi\u00f3n de firmas en el enlace HTTPRedirect. Un atacante con cualquier SAMLResponse firmada mediante el enlace HTTP-Redirect pod\u00eda provocar que la aplicaci\u00f3n aceptara un mensaje sin firmar. Las versiones 4.17.0 y 5.0.0-alpha.20 incluyen una soluci\u00f3n para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-05-09T20:03:38.107Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27773\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-11T19:26:31.017558Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-11T19:26:53.207Z\"}}], \"cna\": {\"title\": \"SimpleSAMLphp SAML2 library has incorrect signature verification for HTTP-Redirect binding\", \"source\": {\"advisory\": \"GHSA-46r4-f8gj-xg56\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"simplesamlphp\", \"product\": \"saml2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.17.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0-alpha.1, \u003c 5.0.0-alpha.20\"}]}], \"references\": [{\"url\": \"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56\", \"name\": \"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0\", \"name\": \"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113\", \"name\": \"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217\", \"name\": \"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-347\", \"description\": \"CWE-347: Improper Verification of Cryptographic Signature\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-11T19:04:52.135Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27773\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-09T20:03:38.107Z\", \"dateReserved\": \"2025-03-06T18:06:54.460Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-11T19:04:52.135Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-46r4-f8gj-xg56

Vulnerability from github

Published

2025-03-11 19:23

Modified

2025-05-09 21:31

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Summary

The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding

Details

Summary

There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.

I believe that it exists for v4 only. I have not yet developed a PoC.

V5 is well designed and instead builds the signed query from the same message that will be consumed.

Details

What is verified

The data['SignedQuery'] is the string that will be verified by the public key.

It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217

THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.

For example, given:

SAMLRequest=a&SAMLResponse=idpsigned

SAMLResponse=idpsigned will be set as sigQuery, then later verified

What is actually processed

Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113

Given this, the contents that are processed might not be the same as the data that is actually verified.

Exploiting

Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :

SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature

Then an attacker can append SAMLRequest in front:

SAMLRequest=unverifieddata&SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature=..

SimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there's no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.

IdPs

Microsoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.

Attached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.

https://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A&Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.0-alpha.19"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.1"
            },
            {
              "fixed": "5.0.0-alpha.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2-legacy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T19:23:22Z",
    "nvd_published_at": "2025-03-11T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThere\u0027s a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.\n\nI believe that it exists for v4 only. I have not yet developed a PoC.\n\nV5 is well designed and instead builds the signed query from the same message that will be consumed.\n### Details\n\n#### What is verified\nThe data[\u0027SignedQuery\u0027] is the string that will be verified by the public key. \n\nIt is defined here:\nhttps://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217\n\nTHe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.\n\nFor example, given:\n\nSAMLRequest=a\u0026SAMLResponse=idpsigned\n\nSAMLResponse=idpsigned will be set as sigQuery, then later verified\n\n\n#### What is actually processed\n\nProcessing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:\n\nhttps://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113\n\nGiven this, the contents that are processed might not be the same as the data that is actually verified.\n\n\n### Exploiting\nSuppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :\n\nSAMLResponse=idpsigned\u0026RelayState=...\u0026SigAlg=...\u0026Signature\n\n\nThen an attacker can append SAMLRequest in front:\n\n`SAMLRequest=unverifieddata\u0026SAMLResponse=idpsigned\u0026RelayState=...\u0026SigAlg=...\u0026Signature=..`\n\nSimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there\u0027s no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.\n\n\n### IdPs\n\nMicrosoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.\n\nAttached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.\n\n```\nhttps://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A\u0026Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d\u0026SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256\n```",
  "id": "GHSA-46r4-f8gj-xg56",
  "modified": "2025-05-09T21:31:08Z",
  "published": "2025-03-11T19:23:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/saml2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding"
}

fkie_cve-2025-27773

Vulnerability from fkie_nvd

Published

2025-03-11 19:15

Modified

2025-05-09 20:15

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
	security-advisories@github.com	https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
	af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue."
    },
    {
      "lang": "es",
      "value": "La librer\u00eda SimpleSAMLphp SAML2 es una librer\u00eda PHP para funcionalidades relacionadas con SAML2. En versiones anteriores a la 4.17.0 y la 5.0.0-alpha.20, exist\u00eda un ataque de confusi\u00f3n de firmas en el enlace HTTPRedirect. Un atacante con cualquier SAMLResponse firmada mediante el enlace HTTP-Redirect pod\u00eda provocar que la aplicaci\u00f3n aceptara un mensaje sin firmar. Las versiones 4.17.0 y 5.0.0-alpha.20 incluyen una soluci\u00f3n para este problema."
    }
  ],
  "id": "CVE-2025-27773",
  "lastModified": "2025-05-09T20:15:38.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-11T19:15:43.677",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-27773 (GCVE-0-2025-27773)

Vulnerability from cvelistv5

ghsa-46r4-f8gj-xg56

Vulnerability from github

Summary

Details

What is verified

What is actually processed

Exploiting

IdPs

fkie_cve-2025-27773

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature