Improper Verification of Cryptographic Signature Affecting simplesamlphp/saml2 package, versions <4.17.0>=5.0.0-alpha.1, <5.0.0-alpha.20
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SIMPLESAMLPHPSAML2-9406866
- published14 Mar 2025
- disclosed11 Mar 2025
- creditahacker1-securesaml
Introduced: 11 Mar 2025
NewCVE-2025-27773 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade simplesamlphp/saml2 to version 4.17.0, 5.0.0-alpha.20 or higher.
Overview
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the HTTPRedirect binding process. An attacker can manipulate the message processing by appending a malicious SAMLRequest in front of a valid SAMLResponse, leading to the application processing an unsigned or altered message as if it were valid.