Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/simplesamlphp/saml2@3.1.0
purl pkg:composer/simplesamlphp/saml2@3.1.0
Next non-vulnerable version 4.17.0
Latest non-vulnerable version 4.17.0
Risk 4.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-6c55-4pyx-ckbx
Aliases:
CVE-2025-27773
GHSA-46r4-f8gj-xg56
The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed.
4.17.0
Affected by 0 other vulnerabilities.
5.0.0-alpha.20
Affected by 0 other vulnerabilities.
VCID-8b8r-g7e2-qfb2
Aliases:
CVE-2024-52806
GHSA-pxm4-r5ph-q2m2
SimpleSAMLphp SAML2 has an XXE in parsing SAML messages Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
4.6.14
Affected by 1 other vulnerability.
VCID-ma9b-k5br-ffhd
Aliases:
CVE-2024-52596
GHSA-2x65-fpch-2fcm
SimpleSAMLphp xml-common XXE vulnerability When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
4.6.14
Affected by 1 other vulnerability.
VCID-ucwf-xdma-h7fc
Aliases:
CVE-2018-6519
GHSA-hhm8-2j4g-mpgg
Injection Vulnerability The SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
3.1.1
Affected by 5 other vulnerabilities.
VCID-wbt9-snjj-uuea
Aliases:
CVE-2018-7644
GHSA-923w-2xv2-7pr8
Improper signature validation The `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.
3.1.3
Affected by 4 other vulnerabilities.
VCID-xx6m-pvgs-puga
Aliases:
CVE-2018-7711
GHSA-g888-g2pp-82hf
Incorrect signature validation An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.
3.1.4
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T05:41:55.365073+00:00 GitLab Importer Affected by VCID-6c55-4pyx-ckbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2025-27773.yml 38.6.0
2026-06-06T05:33:19.467997+00:00 GitLab Importer Affected by VCID-ma9b-k5br-ffhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52596.yml 38.6.0
2026-06-06T05:33:03.003508+00:00 GitLab Importer Affected by VCID-8b8r-g7e2-qfb2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52806.yml 38.6.0
2026-06-04T20:11:24.792023+00:00 GitLab Importer Affected by VCID-wbt9-snjj-uuea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7644.yml 38.6.0
2026-06-04T20:11:24.499368+00:00 GitLab Importer Affected by VCID-xx6m-pvgs-puga https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7711.yml 38.6.0
2026-06-04T20:11:05.935804+00:00 GitLab Importer Affected by VCID-ucwf-xdma-h7fc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-6519.yml 38.6.0