CVE-2025-46784 – A denial-of-service vulnerability in Entr'ouver... (How to Fix)

Q: What is the severity of CVE-2025-46784?

CVE-2025-46784 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in Entr'ouvert Lasso's SAML processing allows attackers to crash the service by sending specially crafted SAML responses. This affects systems using Lasso 2.5.1 for SAML authentication. The vulnerability can be exploited remotely without authentication.

📋 TL;DR

A denial-of-service vulnerability in Entr'ouvert Lasso's SAML processing allows attackers to crash the service by sending specially crafted SAML responses. This affects systems using Lasso 2.5.1 for SAML authentication. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

Entr'ouvert Lasso

Versions: 2.5.1

Operating Systems: All platforms running Lasso

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Lasso for SAML authentication is vulnerable when processing SAML responses.

📦 What is this software?

Lasso by Entrouvert

View all CVEs affecting Lasso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of SAML authentication, preventing legitimate users from accessing protected resources.

🟠

Likely Case

Intermittent service disruptions affecting SAML authentication flows, potentially causing login failures.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring to detect and block malicious SAML responses.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malformed SAML response to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor vendor channels for patches. 2. Consider upgrading to a newer version if available. 3. Apply workarounds in the meantime.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject malformed SAML responses before they reach Lasso.

# Configure web application firewall rules to filter suspicious SAML responses
# Implement XML schema validation for incoming SAML messages

Rate Limiting

linux

Limit the rate of SAML response processing to prevent rapid exploitation attempts.

# Example using nginx: limit_req_zone $binary_remote_addr zone=saml:10m rate=10r/s;
# Add to location block: limit_req zone=saml burst=20 nodelay;

🧯 If You Can't Patch

Implement network segmentation to isolate SAML endpoints from untrusted networks.
Deploy intrusion detection systems to monitor for malformed SAML traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check if Lasso version 2.5.1 is installed and used for SAML processing.

Check Version:

lasso-config --version

Verify Fix Applied:

Verify that workarounds are properly implemented and test with controlled malformed SAML responses.

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption spikes in Lasso processes
Repeated authentication failures from SAML endpoints
Process crashes or restarts of Lasso services

Network Indicators:

Unusually large or malformed SAML responses
High volume of SAML requests from single sources

SIEM Query:

source="lasso.log" AND ("memory" OR "crash" OR "error") AND "SAML"

📊 Metadata

CVE ID: CVE-2025-46784

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: November 5, 2025

Last Updated: November 7, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2195 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46784, you might also want to check these: