202501-01

Signature bypass vulnerability

Description

When passing multiple SAMLResponse-parameters, the signature would be validated on the second one instead of the first one.

Mitigation:

Update to the latest version of SimpleSAMLphp, or manually bump the simplesamlphp/saml2 dependency to v4.17.0

Background / details

The HTTPRedirect-binding didn’t properly check the query-parameters. We’ve changed it to check for duplicate parameters and any illegal combination of parameters (i.e. both a SAMLResponse and a SAMLRequest).

Credit

This vulnerability was discovered and reported by ahacker1-securesaml on November 18, 2024. It is registered under CVE-2025-27773.