CVE-2025-9943: 
Linux Debian vulnerability analysis and mitigation

An SQL injection vulnerability (CVE-2025-9943) was identified in the Shibboleth Service Provider (SP) through version 3.5.0. The vulnerability exists in the 'ID' attribute of the SAML response when the replay cache is configured to use an SQL database as storage service with the ODBC plugin. The issue was discovered by Florian Stuhlmann from SEC Consult Vulnerability Lab and was disclosed on September 10, 2025 (SEC Consult, NVD).

The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). The issue allows for blind SQL injection attacks through specially crafted inputs. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity with network accessibility and no required privileges or user interaction (NVD).

An unauthenticated attacker can exploit this vulnerability via blind SQL injection, allowing for the extraction of arbitrary data from the database when the database connection is configured to use the ODBC plugin. The impact is considered moderate to high severity for organizations using the ODBC plugin, but has no impact on those not using this component (Shibboleth Advisory).

The vendor has released version 3.5.1 to address this vulnerability. Organizations are recommended to either update to version 3.5.1 (or later) of the Shibboleth Service Provider or migrate away from the ODBC storage plugin/extension. A restart of the shibd process is sufficient to apply the fix. As a workaround, users can switch to any other non-ODBC StorageService for the ReplayCache (Shibboleth Advisory).