{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/composer/simplesamlphp/saml2--4.20.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/simplesamlphp/saml2 \u003c= 4.20.2","composer/simplesamlphp/saml2-legacy \u003c= 4.20.2"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","saml","php"],"_cs_type":"advisory","_cs_vendors":["SimpleSAMLphp"],"content_html":"\u003cp\u003eSimpleSAMLphp, a widely used open-source PHP application for SAML 2.0 service providers and identity providers, along with its underlying SAML2 library (composer/simplesamlphp/saml2 and composer/simplesamlphp/saml2-legacy), was found to be vulnerable to a Denial-of-Service (DoS) attack, tracked as CVE-2026-49289. The vulnerability, identified on or before July 2, 2026, arises from its handling of XPath transforms within SAML messages. Attackers can craft malicious SAML messages that, when processed by a vulnerable SimpleSAMLphp instance, cause resource exhaustion and lead to service interruption. This impacts any entity relying on these components and necessitates immediate updates to mitigate the risk of service disruption. A mitigation has been implemented in later versions (beyond 4.20.2) to restrict the number of transforms and disallow XPath transforms explicitly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target entity relying on SimpleSAMLphp for SAML processing.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially designed SAML message incorporating complex or excessive XPath transforms.\u003c/li\u003e\n\u003cli\u003eThe malicious SAML message is sent to the vulnerable SimpleSAMLphp instance, typically via an unauthenticated or authenticated SAML request/response endpoint.\u003c/li\u003e\n\u003cli\u003eThe SimpleSAMLphp application receives and begins parsing the incoming SAML message, including its XPath transforms.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the XPath transforms, the application consumes excessive system resources (CPU, memory).\u003c/li\u003e\n\u003cli\u003eDue to resource exhaustion, the SimpleSAMLphp instance becomes unresponsive or crashes, leading to a Denial-of-Service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-49289 allows an attacker to render any entity relying on SimpleSAMLphp or the SAML2 library (versions \u0026lt;= 4.20.2) unavailable. This directly impacts the ability of legitimate users to authenticate or access services protected by SimpleSAMLphp, leading to significant operational disruption, reputational damage, and potential financial losses for affected organizations. The vulnerability affects critical authentication infrastructure, making it a high-priority concern for any organization utilizing SimpleSAMLphp.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49289 by upgrading \u003ccode\u003ecomposer/simplesamlphp/saml2\u003c/code\u003e and \u003ccode\u003ecomposer/simplesamlphp/saml2-legacy\u003c/code\u003e to versions greater than 4.20.2 immediately.\u003c/li\u003e\n\u003cli\u003eReview the mitigation details provided in the GHSA-5cjr-mxj5-wmrx advisory for specific implementation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:25:05Z","date_published":"2026-07-03T11:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/","summary":"SimpleSAMLphp and its SAML2 library are vulnerable to CVE-2026-49289, allowing attackers to perform a Denial-of-Service attack by sending specially crafted SAML messages containing XPath transforms, leading to resource exhaustion and service unavailability.","title":"SimpleSAMLphp Vulnerable to Denial-of-Service via Malicious XPath Transform","url":"https://feed.craftedsignal.io/briefs/2026-07-simplesamlphp-dos-xpath/"}],"language":"en","title":"CraftedSignal Threat Feed - Composer/Simplesamlphp/Saml2 \u003c= 4.20.2","version":"https://jsonfeed.org/version/1.1"}