GHSA-46r4-f8gj-xg56

Source

https://github.com/advisories/GHSA-46r4-f8gj-xg56

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-46r4-f8gj-xg56/GHSA-46r4-f8gj-xg56.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-46r4-f8gj-xg56

Aliases

CVE-2025-27773

Published

2025-03-11T19:23:22Z

Modified

2025-03-12T14:39:15.861536Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding

Details

Summary

There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.

I believe that it exists for v4 only. I have not yet developed a PoC.

V5 is well designed and instead builds the signed query from the same message that will be consumed.

Details

What is verified

The data['SignedQuery'] is the string that will be verified by the public key.

It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217

THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.

For example, given:

SAMLRequest=a&SAMLResponse=idpsigned

SAMLResponse=idpsigned will be set as sigQuery, then later verified

What is actually processed

Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113

Given this, the contents that are processed might not be the same as the data that is actually verified.

Exploiting

Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :

SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature

Then an attacker can append SAMLRequest in front:

SAMLRequest=unverifieddata&SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature=..

SimpleSAMLPhp will only verify the SAMLResponse, but will actually use the SAMLRequest contents. The impact here is increased because there's no checks that SAMLRequest actually contains a Request, it could instead contain an Response, which allows the attacker to effectively impersonate any user within the SP.

IdPs

Microsoft Azure AD/Entra (and likely ADFS) signs the LogoutResponse via this SimpleSign format in HTTP Redirect binding. If an attacker logs out of Entra, they will be able to extract a valid Signature.

Attached is an HTTP Request when an I initiated a SLO request from the service provider to the IdP (entra). Then IdP POSTed this SAMLResponse with HTTP Redirect binding signature, via the user browser to the SP. It should be possible to carry out the described attack with this.

https://webhook.site/c6038292-6ef5-46ac-973d-d7c25520ec48/logout?SAMLResponse=fVJNa%2bMwEP0rRndZtmw5tnAMy%2fYSaC9N6aGXIsmjVMTRGI9M%2bvObdeihsPQ4w7x5HzM9mcs060c84ZqegWaMBNnhYc%2fejS1UW1TAnVU7XldK8s7JkcvOd60Db3zTsewVFgoY90zmBcsORCscIiUT061VyJqXJS%2fbl7LRUmrZ5mXdvLHsASiFaNKG%2fEhpJi3EFewH4jmnkEC4pqha2UnegFe8bozj3a4a%2bbhzUilZgKtbMW2yb7TxW%2foL7lkM9hTC2XnEOPvZXjDECb2N1lh7mvBsp%2bnsErDs8zJF0lsEe7YuUaOhQDqaC5BOTh%2f%2fPD3qmzE9L5jQ4cSGfrO43KG%2fgwwRLP8ssuHbIiXKryGOeKU8QhLSVN7WteejV8Bru%2bt4WynFbwE3bdVV5ahG0Ys759Dfj3VMJq30s%2fqLI2SvZlrhd020Tevj6hwQMTH04udS8b%2bHGL4A&Signature=Z%2f7gIPv7Gkgvqtwo0bzgXyum9IjHMfP0zTYuNbl%2fBUGlQ%2fU%2bbOZGZJ6Rk9wLUyvNQ5XlZRxZrfESNA%2bn0CVyIedsg9GxQKTi7VqPTJFJqEIP1BZaEpYYP3%2f6sFfLxfTMKecJoQdxnDE5Malte1hMj2UujWnLXOnp0CgO%2f%2fU2K52SoGckIzNDRB%2fJ6%2fysTn%2bDjBrmgdro%2fgdTyby9%2f3vm8dzY8pUkRCgMjlimShrZxr5U33wQvwPLIXlDgActr91RUtWKE0k8sy%2brshrK9DKLPo8AdTLk7NYhjSWdF7OG7uqgEeEo470tacqQuA09E0qDh8CWS%2bycLJijiGYWVyQa4Q%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

Database specific

{
    "nvd_published_at": "2025-03-11T19:15:43Z",
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T19:23:22Z"
}

References

Affected packages

Packagist / simplesamlphp/saml2

Package

Name: simplesamlphp/saml2
Purl: pkg:composer/simplesamlphp/saml2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.17.0

Affected versions

v0.*

v0.1.0-alpha

v0.1.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.2

v1.8

v1.8.1

v1.8.2

v1.9

v1.9.1

v1.9.2

v1.10

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v2.*

v2.0.0

v2.0.1

v2.1

v2.2

v2.3

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.2

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.3.11

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.3.0

v4.3.1

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.16.14

4.*

4.6.9

Database specific

{
    "last_known_affected_version_range": "<= 4.16.15"
}

Packagist / simplesamlphp/saml2

Package

Name: simplesamlphp/saml2
Purl: pkg:composer/simplesamlphp/saml2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-alpha.1

Fixed

5.0.0-alpha.20

Affected versions

v5.*

v5.0.0-alpha.1

v5.0.0-alpha.2

v5.0.0-alpha3

v5.0.0-alpha.4

v5.0.0-alpha.5

v5.0.0-alpha.6

v5.0.0-alpha.7

v5.0.0-alpha.8

v5.0.0-alpha.9

v5.0.0-alpha.10

v5.0.0-alpha.11

v5.0.0-alpha.12

v5.0.0-alpha.13

v5.0.0-alpha.14

v5.0.0-alpha.15

v5.0.0-alpha.16

v5.0.0-alpha.17

v5.0.0-alpha.18

v5.0.0-alpha.19

Database specific

{
    "last_known_affected_version_range": "<= 5.0.0-alpha.19"
}

Packagist / simplesamlphp/saml2-legacy

Package

Name: simplesamlphp/saml2-legacy
Purl: pkg:composer/simplesamlphp/saml2-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.17.0

Affected versions

v0.*

v0.1.0-alpha

v0.1.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.2

v1.8

v1.8.1

v1.8.2

v1.9

v1.9.1

v1.9.2

v1.10

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v2.*

v2.0.0

v2.0.1

v2.1

v2.2

v2.3

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.2

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.3.11

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.3.0

v4.3.1

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.16.14

4.*

4.6.9

Database specific

{
    "last_known_affected_version_range": "<= 4.16.15"
}