CVE-2025-27773

Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp SAML2 library versions prior to 4.17.0 and 5.0.0-alpha.20

Description: The issue is related to a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. This can lead to impersonation of any user within the SP. The attack exploits the fact that the contents processed might not be the same as the data that is actually verified. Microsoft Azure AD/Entra and likely ADFS sign the LogoutResponse via this SimpleSign format in HTTP Redirect binding, which can be used to extract a valid Signature.

Recommendations: For versions prior to 4.17.0, update to version 4.17.0 or later. For versions prior to 5.0.0-alpha.20, update to version 5.0.0-alpha.20 or later. As a temporary workaround, consider restricting access to the HTTPRedirect binding to minimize the risk of exploitation. Avoid using the SAMLRequest parameter in the affected API endpoint until the issue is resolved.