CVE-2025-24894
📋 TL;DR
This vulnerability in SPID.AspNetCore.Authentication allows attackers to bypass SAML signature validation by injecting a signed XML element. This enables impersonation of any SPID or CIE user on affected systems. All systems using vulnerable versions of this authentication library are affected.
💻 Affected Systems
- SPID.AspNetCore.Authentication
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to impersonate any user, access sensitive data, and perform unauthorized actions as any legitimate user.
Likely Case
Authentication bypass leading to unauthorized access to protected resources and potential data exposure.
If Mitigated
Limited impact if proper network segmentation and additional authentication layers are in place.
🎯 Exploit Status
Exploitation requires knowledge of SAML and access to IdP public metadata, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.0
Vendor Advisory: https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw
Restart Required: Yes
Instructions:
1. Update NuGet package to version 3.4.0 or later. 2. Update package reference in your project file. 3. Rebuild and redeploy your application. 4. Restart the application.
🧯 If You Can't Patch
- Implement additional authentication layer (e.g., multi-factor authentication)
- Monitor authentication logs for suspicious patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check the installed NuGet package version in your project. If version is below 3.4.0, you are vulnerable.Check Version:
dotnet list package SPID.AspNetCore.AuthenticationVerify Fix Applied:
Verify that the package version is 3.4.0 or higher in your project dependencies and that the application is using the updated library.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple authentication attempts from same source with different user identities
- SAML responses with unexpected XML structures
Network Indicators:
- Unusual SAML traffic patterns
- SAML responses with multiple signatures or unexpected XML elements
SIEM Query:
source="authentication_logs" AND (event="SAML_authentication" AND (xml_element_count > threshold OR signature_count > 1))