CVE-2025-24894

Name of the Vulnerable Software and Affected Versions: SPID.AspNetCore.Authentication versions prior to 3.4.0

Description: The issue is related to the validation logic of SAML assertions in the SPID.AspNetCore.Authentication library. An attacker could create an arbitrary SAML response that would be accepted by Service Providers (SPs) using vulnerable SDKs, allowing them to impersonate any Spid and/or CIE user. The vulnerability is based on the fact that there is no guarantee that the first signature refers to the root object, and if an attacker injects a signed element as the first element, all other signatures will not be verified. The only requirement is to have a legitimately signed XML element from the Identity Provider (IdP), which is easily accomplished using the public metadata of the IdP.

Recommendations: For versions prior to 3.4.0, upgrade to version 3.4.0 or later to resolve the issue. As a temporary workaround, consider verifying all signatures within the SAML response and do not accept unsigned XML elements. Restrict access to the vulnerable VerifySignature function until a patch is available. Avoid using the signedDocument parameter in the affected API endpoint until the issue is resolved.