VulnerableCode Package Details - pkg:composer/simplesamlphp/saml2@4.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-6c55-4pyx-ckbx Aliases: CVE-2025-27773 GHSA-46r4-f8gj-xg56	The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed.	4.17.0 Affected by 0 other vulnerabilities. 5.0.0-alpha.20 Affected by 0 other vulnerabilities.
VCID-8b8r-g7e2-qfb2 Aliases: CVE-2024-52806 GHSA-pxm4-r5ph-q2m2	SimpleSAMLphp SAML2 has an XXE in parsing SAML messages Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.	4.6.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ma9b-k5br-ffhd Aliases: CVE-2024-52596 GHSA-2x65-fpch-2fcm	SimpleSAMLphp xml-common XXE vulnerability When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.	4.6.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6c55-4pyx-ckbx
Aliases:
CVE-2025-27773
GHSA-46r4-f8gj-xg56

The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed.

4.17.0
Affected by 0 other vulnerabilities.

5.0.0-alpha.20
Affected by 0 other vulnerabilities.

VCID-8b8r-g7e2-qfb2
Aliases:
CVE-2024-52806
GHSA-pxm4-r5ph-q2m2

SimpleSAMLphp SAML2 has an XXE in parsing SAML messages Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

4.6.14
Affected by 1 other vulnerability.

VCID-ma9b-k5br-ffhd
Aliases:
CVE-2024-52596
GHSA-2x65-fpch-2fcm

SimpleSAMLphp xml-common XXE vulnerability When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

4.6.14
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:41:55.597912+00:00	GitLab Importer	Affected by	VCID-6c55-4pyx-ckbx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2025-27773.yml	38.6.0
2026-06-06T05:33:19.706959+00:00	GitLab Importer	Affected by	VCID-ma9b-k5br-ffhd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52596.yml	38.6.0
2026-06-06T05:33:03.276442+00:00	GitLab Importer	Affected by	VCID-8b8r-g7e2-qfb2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52806.yml	38.6.0