Unknown · Spid.Aspnetcore.Authentication · CVE-2025-24895
Name of the Vulnerable Software and Affected Versions:
CIE.AspNetCore.Authentication versions prior to 2.1.0
Description:
The issue concerns the validation logic of SAML assertions within SAML responses in CIE.AspNetCore.Authentication. In affected versions, there is no guarantee that the first signature refers to the root object, allowing an attacker to inject a signed element as the first element, which would prevent the verification of other signatures. This could enable an attacker to craft an arbitrary SAML response that would be accepted by Service Providers (SPs) using vulnerable SDKs, allowing them to impersonate any Spid and/or CIE user. The only requirement for an attacker is to have a legitimately signed XML element from the Identity Provider (IdP), which can be easily obtained using the public metadata of the IdP.
Recommendations:
For versions prior to 2.1.0, upgrade to version 2.1.0 or later to address the issue. As a temporary workaround, consider verifying all signatures within the SAML response and not accepting unsigned XML elements to minimize the risk of exploitation. Restrict access to the vulnerable `VerifySignature` function until a patch is available. Avoid using the `signedDocument` parameter in the affected API endpoint until the issue is resolved.