CVE-2025-31335: 
Linux Debian vulnerability analysis and mitigation

The OpenSAML C++ library before version 3.3.1 contains a critical security vulnerability (CVE-2025-31335) that allows attackers to forge signed SAML messages through parameter manipulation when using SAML bindings that rely on non-XML signatures. This vulnerability was discovered by Alexander Tan of SecureSAML and was publicly disclosed on March 13, 2025 (Shibboleth Advisory).

The vulnerability stems from a flaw in the library's signature verification process for non-XML based signed messages. The issue allows creative manipulation of parameters combined with reuse of contents from older requests to bypass the library's signature verification mechanisms. This vulnerability particularly affects the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses and is enabled by default. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N (NVD).

The vulnerability has critical security implications in specific scenarios, particularly affecting the Shibboleth Service Provider and implementations built on top of the OpenSAML library. It enables attackers to forge signed SAML messages, potentially leading to authentication bypass and unauthorized access to protected resources. The impact is especially severe when using the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses (Shibboleth Advisory).

The primary mitigation is to upgrade to OpenSAML library version 3.3.1 or later. For non-Windows platforms, updating the library and restarting the 'shibd' daemon is sufficient. Windows users must install Shibboleth Service Provider V3.5.0.1 or later. As a temporary workaround, users can remove the 'SimpleSigning' security policy rule from the security-policy.xml file, though this will prevent support for legitimate signed requests or responses via the HTTP-Redirect binding. Alternatively, removing the HTTP-Redirect binding from an SP's metadata will force IdPs to use the HTTP-POST binding with XML-based signatures (Shibboleth Advisory).