CVE-2025-46784: 
NixOS vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2025-46784) was discovered in Entr'ouvert Lasso version 2.5.1, specifically in the lasso_node_init_from_message_with_format functionality. The vulnerability was discovered by Keane O'Kelly and another member of Cisco Advanced Security Initiative Group, with initial vendor contact made on May 13, 2025, and public disclosure on November 5, 2025. The affected software, Lasso SAML Library, is an open-source implementation of the Security Assertion Markup Language (SAML) standard used for enabling single sign-on (SSO) functionality across web applications (Talos Report).

The vulnerability exists due to improper memory management in the lasso_node_init_from_message_with_format function. Specifically, g_malloc is used to allocate a buffer msg at line 2599, but the memory is not properly deallocated at the end of the function. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low attack complexity, and needs no privileges or user interaction. The vulnerability is classified as CWE-401 (Improper Release of Memory Before Removing Last Reference) (Talos Report).

When successfully exploited, this vulnerability can lead to memory depletion, resulting in a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (Talos Report).

A vendor patch was released on August 12, 2025, to address this vulnerability. Organizations using Entr'ouvert Lasso 2.5.1 should upgrade to the patched version (Talos Report).