Talos Vulnerability Report

TALOS-2025-2195

Entr'ouvert Lasso lasso_node_init_from_message_with_format denial of service vulnerability

November 5, 2025
CVE Number

CVE-2025-46784

SUMMARY

A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Entr’ouvert Lasso 2.5.1

PRODUCT URLS

Lasso - https://lasso.entrouvert.org/

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Improper Release of Memory Before Removing Last Reference

DETAILS

The Lasso SAML Library is an open-source implementation of the Security Assertion Markup Language (SAML) standard, primarily used for enabling single sign-on (SSO) functionality across web applications. It provides tools for SAML authentication, handling assertions, metadata parsing, and service provider (SP) and identity provider (IdP) interactions.

In lasso_node_init_from_message_with_format, g_malloc is used to allocate a buffer msg line 2599, but it’s not necessarily deallocated at the end of the function. From lasso_node_init_from_message_with_format:

Line 2582    LassoMessageFormat
Line 2583    lasso_node_init_from_message_with_format(LassoNode *node, const char *message, LassoMessageFormat constraint, xmlDoc **doc_out, xmlNode **root_out)
Line 2584    {
Line 2585        char *msg = NULL;
Line 2586        gboolean b64 = FALSE;
Line 2587        LassoMessageFormat rc = LASSO_MESSAGE_FORMAT_ERROR;
Line 2588        xmlDoc *doc = NULL;
Line 2589        xmlNode *root = NULL;
Line 2590        gboolean any = constraint == LASSO_MESSAGE_FORMAT_UNKNOWN;
Line 2591
Line 2592        msg = (char*)message;
Line 2593
Line 2594        /* BASE64 case */
Line 2595        if (any || constraint == LASSO_MESSAGE_FORMAT_BASE64) {
Line 2596            if (message[0] != 0 && is_base64(message)) {
Line 2597                int rc = 0;
Line 2598
Line 2599                msg = g_malloc(strlen(message));
Line 2600                rc = xmlSecBase64Decode((xmlChar*)message, (xmlChar*)msg, strlen(message));
Line 2601                if (rc >= 0) { 
Line 2602                    b64 = TRUE;
Line 2603                } else {
Line 2604                    lasso_release(msg);
Line 2605                    msg = (char*)message;
Line 2606                }    
Line 2607            }    
Line 2608        }
.......
Line 2662	cleanup:
Line 2663		if (doc_out) {
Line 2664			*doc_out = doc;
Line 2665			if (root_out) {
Line 2666				*root_out = root;
Line 2667			}
Line 2668		} else {
Line 2669			lasso_release_doc(doc);
Line 2670		}
Line 2671		return rc;
Line 2672	}

An attacker sending a precisely crafted malformed SAML response can cause memory exhaustion, ultimately leading to a denial of service.

TIMELINE

2025-05-13 - Initial Vendor Contact
2025-05-14 - Vendor Disclosure
2025-08-12 - Vendor Patch Release
2025-11-05 - Public Release

Credit

Discovered by Keane O'Kelley of and another member of Cisco Advanced Security Initiative Group

TALOS-2025-2194

TALOS-2025-2196