Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting github.com/fleetdm/fleet/v4/server/sso package, versions <4.53.2>=4.54.0 <4.58.1>=4.62.0 <4.62.4>=4.63.0 <4.63.2>=4.64.0 <4.64.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMFLEETDMFLEETV4SERVERSSO-9357560
- published7 Mar 2025
- disclosed6 Mar 2025
- credithakivvi
Introduced: 6 Mar 2025
NewCVE-2025-27509 Â (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/fleetdm/fleet/v4/server/sso to version 4.53.2, 4.58.1, 4.62.4, 4.63.2, 4.64.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') due to improper SAML response validation. An attacker can forge authentication assertions and potentially impersonate legitimate users or provision new administrative accounts by crafting a specially-formed SAML response.
Workaround
This vulnerability can be mitigated by temporarily disabling single-sign-on (SSO) and using password authentication.