CVE-2025-9943: 
Linux Debian vulnerability analysis and mitigation

An SQL injection vulnerability (CVE-2025-9943) was discovered in the Shibboleth Service Provider (SP) through version 3.5.0. The vulnerability exists in the 'ID' attribute of the SAML response when the replay cache is configured to use an SQL database as storage service. The issue was discovered on June 16, 2025, by Florian Stuhlmann from SEC Consult Vulnerability Lab and was publicly disclosed on September 11, 2025 (SEC Consult, Shibboleth Advisory).

The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271) when using the ODBC plugin. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database if the database connection is configured to use the ODBC plugin. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) (SEC Consult).

The vulnerability allows unauthenticated attackers to extract arbitrary data from the database with the rights of the database user. The severity is considered moderate to high for organizations using the ODBC plugin, while there is no impact for those not using it (Shibboleth Advisory).

The vulnerability has been fixed in Shibboleth Service Provider version 3.5.1. Organizations are recommended to update to this version immediately. As a workaround, users can migrate to any other non-ODBC StorageService for the ReplayCache. The fix can be applied by simply restarting the shibd process, as the affected code runs only within that process (Shibboleth Advisory).