CVE-2025-46404 – A denial of service vulnerability in Entr'ouver... (How to Fix)

Q: What is the severity of CVE-2025-46404?

CVE-2025-46404 has a CVSS score of 7.5 (HIGH). A denial of service vulnerability in Entr'ouvert Lasso's SAML signature verification allows attackers to crash the service by sending specially crafted SAML responses. This affects systems using Lasso 2.5.1 for SAML authentication. Organizations using Lasso for identity management or single sign-on are vulnerable.

📋 TL;DR

A denial of service vulnerability in Entr'ouvert Lasso's SAML signature verification allows attackers to crash the service by sending specially crafted SAML responses. This affects systems using Lasso 2.5.1 for SAML authentication. Organizations using Lasso for identity management or single sign-on are vulnerable.

💻 Affected Systems

Products:

Entr'ouvert Lasso

Versions: 2.5.1

Operating Systems: All platforms running Lasso

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using lasso_provider_verify_saml_signature functionality for SAML response validation.

📦 What is this software?

Lasso by Entrouvert

View all CVEs affecting Lasso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of applications relying on Lasso for authentication, preventing legitimate users from accessing systems.

🟠

Likely Case

Intermittent service disruptions affecting authentication flows, potentially causing login failures for users.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid incident response to restart affected services.

🌐 Internet-Facing: HIGH - SAML responses typically come from external identity providers over the internet.

🏢 Internal Only: MEDIUM - Internal SAML flows could also be exploited by compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending malformed SAML responses to vulnerable endpoints, which is straightforward for attackers familiar with SAML.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor Lasso project for security updates. 2. Apply patch when available. 3. Restart affected services after patching.

🔧 Temporary Workarounds

Input validation filter

all

Implement pre-processing to validate SAML response structure before passing to lasso_provider_verify_saml_signature

# Custom implementation required based on deployment

Rate limiting

all

Limit requests to SAML endpoints to reduce impact of repeated exploitation attempts

# Configure web server or application rate limiting

🧯 If You Can't Patch

Implement monitoring and alerting for service crashes related to SAML processing
Deploy redundant authentication services with automatic failover

🔍 How to Verify

Check if Vulnerable:

Check if running Lasso 2.5.1 and using SAML authentication with signature verification

Check Version:

lasso-config --version

Verify Fix Applied:

Verify updated version after patch becomes available

📡 Detection & Monitoring

Log Indicators:

Unexpected service crashes
SAML processing errors
Segmentation faults in Lasso processes

Network Indicators:

Unusual volume of malformed SAML responses
SAML responses with abnormal structure

SIEM Query:

source="*lasso*" AND (error OR crash OR segfault) AND saml

📊 Metadata

CVE ID: CVE-2025-46404

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: November 5, 2025

Last Updated: November 7, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2194 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2194 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46404, you might also want to check these: