CVE-2023-26483: 
vulnerability analysis and mitigation

A vulnerability (CVE-2023-26483) was discovered in the SAML authentication library gosaml2 affecting versions prior to v0.9.0. The vulnerability was disclosed on March 1, 2023, and impacts SAML Service Providers using this library for authentication (GitHub Advisory).

The vulnerability stems from a bug in the library's handling of deflate-compressed requests. Attackers can craft specially formatted deflate-compressed requests that consume significantly more memory during processing than the size of the original request. The maximum compression ratio achievable with deflate is 1032:1, which can be exploited to cause memory exhaustion (GitHub Advisory, Go Vulnerability Database).

This vulnerability can lead to Denial of Service (DoS) attacks against SAML Service Providers using the affected library versions. The excessive memory consumption during request processing may eventually lead to memory exhaustion and process termination (GitHub Advisory).

The issue has been patched in version v0.9.0 of the library. Before upgrading, temporary mitigations include limiting the size of bodies passed to gosaml2, restricting the rate and concurrency of calls, and ensuring sufficient memory is available to the process. However, implementors are advised not to rely solely on these workarounds and should upgrade to the patched version (GitHub Advisory).