CVE-2025-46784: 
Linux Debian Análise e mitigação de vulnerabilidades

A denial of service vulnerability (CVE-2025-46784) was discovered in Entr'ouvert Lasso version 2.5.1, specifically in the lassonodeinitfrommessagewithformat functionality. The vulnerability was discovered by Keane O'Kelley and another member of Cisco Advanced Security Initiative Group, with initial vendor contact made on May 13, 2025, and public disclosure on November 5, 2025. The affected software, Lasso SAML Library, is an open-source implementation of the Security Assertion Markup Language (SAML) standard used for enabling single sign-on (SSO) functionality across web applications (Talos).

The vulnerability exists due to improper memory management in the lassonodeinitfrommessagewithformat function. Specifically, gmalloc is used to allocate a buffer msg at line 2599, but the allocated memory is not properly deallocated at the end of the function in all execution paths. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no privileges or user interaction required. The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2025-2195)).

When successfully exploited, this vulnerability can lead to memory depletion in the affected system, resulting in a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (Talos).

A patch for this vulnerability was released by the vendor on August 12, 2025. Users of Entr'ouvert Lasso 2.5.1 should upgrade to the patched version as soon as possible (Talos).