CVE-2025-46404
A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Entr’ouvert Lasso 2.5.1
Lasso - https://lasso.entrouvert.org/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-476 - NULL Pointer Dereference
The Lasso SAML Library is an open-source implementation of the Security Assertion Markup Language (SAML) standard, primarily used for enabling single sign-on (SSO) functionality across web applications. It provides tools for SAML authentication, handling assertions, metadata parsing, and service provider (SP) and identity provider (IdP) interactions.
The result of xmlSecGetNodeNsHref line 1365 inside of lasso_provider_verify_saml_signature (which can be NULL) isn’t checked before passing it to strcmp line 1366.
See the following code snippet from line 1349 in https://git.entrouvert.org/entrouvert/lasso/src/tag/v2.5.1/lasso/id-ff/provider.c
Line 1349 int
Line 1350 lasso_provider_verify_saml_signature(LassoProvider *provider,
Line 1351 xmlNode *signed_node, xmlDoc *doc)
Line 1352 {
Line 1353 const char *id_attribute_name = NULL;
Line 1354 const xmlChar *node_ns = NULL;
Line 1355 GList *public_keys = NULL;
Line 1356 xmlSecKeysMngr *keys_manager = NULL;
Line 1357 int rc = 0;
Line 1358 int signature_rc = 0;
Line 1359
Line 1360 lasso_bad_param(PROVIDER, provider);
Line 1361 lasso_null_param(signed_node);
Line 1362 g_return_val_if_fail((signed_node->doc && doc) || ! signed_node->doc, LASSO_PARAM_ERROR_INVALID_VALUE);
Line 1363
Line 1364 /* ID-FF 1.2 Signatures case */
Line 1365 node_ns = xmlSecGetNodeNsHref(signed_node); // submitter note: may return NULL
Line 1366 if ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) || // ASA crash when node_ns is NULL
Line 1367 (strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0)) {
An attacker sending a precisely crafted malformed SAML response can cause null pointer dereference, ultimately leading to a denial of service.
==482694== Command: ./repro ./args-files/saml-metadata.xml ./args-files/server.pem ./args-files/idp-metadata.xml ./args-files/pub.pem ./args-files/ca-cert.pem CSCwo73892-null-ptr-deref_pure
==482694==
### unhandled dwarf2 abbrev form code 0x25
### unhandled dwarf2 abbrev form code 0x25
### unhandled dwarf2 abbrev form code 0x25
### unhandled dwarf2 abbrev form code 0x1b
get_Form_szB: unhandled 27 (DW_FORM_addrx)
--482694-- WARNING: Serious error when reading debug info
--482694-- When reading debug info from /home/tester/package/repro:
--482694-- get_Form_contents: unhandled DW_FORM
(process:482694): Lasso-WARNING **: 14:32:50.486: 2025-05-06 14:32:50 Could not read KeyInfo from signing KeyDescriptor
==482694== Warning: set address range perms: large range [0x7aad040, 0x198c7340) (undefined)
(process:482694): Lasso-CRITICAL **: 14:32:50.951: libxml2: Namespace prefix XXX for samlp on Response is not defined\n
(process:482694): Lasso-CRITICAL **: 14:32:50.953: libxml2: Namespace prefix samlp on Response is not defined\n
setting original xmlnode (at 0x79350e0) on node LassoSamlp2Response:0x791e1b0
allocation of LassoSaml2NameID (for xmlNode 0x7934d90) : 0x7936110
setting prop LassoSaml2NameID/content to value 0x79362f0: https://idp.rizzo.zargs.net/realms/rizzo
==482694== Invalid read of size 1
==482694== at 0x484FBD4: strcmp (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==482694== by 0x48B4692: lasso_provider_verify_saml_signature (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48C6944: lasso_saml20_profile_process_any_response (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48CE645: lasso_saml20_login_process_authn_response_msg (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48A3C52: lasso_login_process_authn_response_msg (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x109559: main (harness.c:118)
==482694== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==482694==
==482694==
==482694== Process terminating with default action of signal 11 (SIGSEGV)
==482694== Access not within mapped region at address 0x0
==482694== at 0x484FBD4: strcmp (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==482694== by 0x48B4692: lasso_provider_verify_saml_signature (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48C6944: lasso_saml20_profile_process_any_response (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48CE645: lasso_saml20_login_process_authn_response_msg (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x48A3C52: lasso_login_process_authn_response_msg (in /home/tester/package/libs/lasso-2.5.1/build/lib/liblasso.so.3.12.1)
==482694== by 0x109559: main (harness.c:118)
==482694== If you believe this happened as a result of a stack
==482694== overflow in your program's main thread (unlikely but
==482694== possible), you can try to increase the size of the
==482694== main thread stack using the --main-stacksize= flag.
==482694== The main thread stack size used in this run was 8388608.
2025-05-13 - Initial Vendor Contact
2025-05-14 - Vendor Disclosure
2025-08-12 - Vendor Patch Release
2025-11-05 - Public Release
Discovered by Keane O'Kelley of and another member of Cisco Advanced Security Initiative Group