Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN849 _____________________________________________________________________ DATE : 12/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running onelogin/php-saml (Composer) versions prior to 2.21.1, 3.8.1, 4.3.1. ===================================================================== https://github.com/SAML-Toolkits/php-saml/security/advisories/GHSA-5j8p-438x-rgg5 _____________________________________________________________________ Vulnerability on xmlseclibs CVE-2025-66475 Critical pitbulk published GHSA-5j8p-438x-rgg5 Dec 9, 2025 Package onelogin/php-saml (Composer) Affected versions <2.21.1 || >=3.0.0 < 3.8.1 || >= 4.0.0 < 4.3.1 Patched versions 2.21.1, 3.8.1, 4.3.1 Description Summary There is a critical vulnerability on xmlseclibs CVE-2025-66475, a dependency of php-saml Update to the following versions of php-saml which forces the use of patched versions of xmlseclibs: 2.21.1 3.8.1 4.3.1 Impact Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. Severity Critical 9.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability None Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE ID No known CVE Weaknesses No CWEs Credits @d0ge d0ge Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================