Add New SAML Attack Based on parser differentials

[d0ge]

Hi @tobiashort,

Hope you are doing well.

I’d like to propose implementing two new CVEs: CVE-2025-25291 and CVE-2025-25292. If you want to read more about vulnerabilities - write up is available here https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

• GHSA-754f-8gm6-c4r2
• GHSA-4vc4-m8qh-g8jm

Would you be interested in having this added to the SAMLRaider extension?

If so, I’m happy to handle the implementation. I can make a test environment similar to the previous one, so you can easily reproduce issue.

Looking forward to hearing your thoughts!

Cheers

[tobiashort]

Hi @d0ge

Of course. I am happy to review and test your implementations.

Tobias

[d0ge]

Great! I will return shortly with the first implementation.

[d0ge]

Hi @tobiashort
Hope you are doing well.
I added two new CVEs to the SAML Raider scan checks - #94
There is one thing I am not sure about is automatic time attributes update, SAML Raider never did it before, however without it, exploitation of Gitlab is almost impossible.
Please let me know if you would prefer to remove it.

[d0ge]

Hi @tobiashort
Hope you’re doing well! 👋
I wanted to follow up and check if you’ve had a chance to review PR #94. Please let me know if there’s anything unclear or if you’d like any changes.
Cheers

[tobiashort]

Hi @d0ge
Sorry, I was very busy lately.
I have looked at it, but hadn't time to really test it.

I think all the previous work has paid out and it is nice to see how we can implement new checks and attacks with no to minor side effects on the other code.

You said, you are not sure about the automatic time attributes update. I think if it is necessary that the exploit works as you say, then it is probably fine.

I should have some time to test it until Monday evening if this is okay.

Tobias

[tobiashort]

I tested CVE-2025-25291 within a test environment with FusionAuth as an IdP. The exploit works well! Fixed a bug where the help description was not correctly displayed.

[d0ge]

Hi @tobiashort,
Thank you for taking the time to test the feature. I hadn’t noticed the issue with the help dialog, really appreciate you spotting it and getting it sorted!

[tobiashort]

Merged to master #94

[tobiashort]

Will create new Release v2.4.0