CVE-2025-27773: 
PHP vulnerability analysis and mitigation

The SimpleSAMLphp SAML2 library, a PHP library for SAML2 related functionality, was found to contain a signature confusion vulnerability in versions prior to 4.17.0 and 5.0.0-alpha.20. The vulnerability was discovered and disclosed on March 11, 2025, affecting the HTTPRedirect binding implementation (GitHub Advisory).

The vulnerability exists in the HTTPRedirect binding's signature verification process. The issue allows an attacker to manipulate the signature verification by exploiting how the library processes SAMLRequest and SAMLResponse parameters. The vulnerability has been assigned a CVSS v3.1 score of 8.6 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. This could allow an attacker to effectively impersonate any user within the Service Provider (SP). The vulnerability is particularly impactful because there are no checks to verify that SAMLRequest actually contains a Request - it could instead contain a Response (GitHub Advisory).

The vulnerability has been fixed in versions 4.17.0 and 5.0.0-alpha.20. Users are strongly recommended to upgrade to these patched versions. The fix involves improving how the signed query is built and verified from the same message that will be consumed (GitHub Advisory).