CVE Alert: CVE-2025-46705 – Entr’ouvert – Lasso

Risk verdict

High risk of remote denial of service via unauthenticated, network-based SAML response handling; exploitation status appears not active at present, but impact is high.

Why this matters

A crafted SAML response can crash the service, disrupting authentication flows and potentially taking downstream applications offline. Organisations relying on SAML-based SSO may suffer outages during peak login windows, eroding continuity and customer trust.

Most likely attack path

Remote attacker sends malformed SAML assertions to the service’s network-facing endpoint; no privileges or user interaction required, and no credential use. The vulnerability’s reach is scope-unchanged, so a DoS condition could rapidly exhaust resources and cause service unavailability without touching other components.

Who is most exposed

deployments that expose SAML endpoints to the internet or to partner networks are most at risk, especially where Lasso acts as IdP/SP in customer-facing or high-availability environments.

Detection ideas

• Spike in failures or crashes triggered by SAML endpoint processing.
• Logs showing g_assert_not_reached or assertion-failure events.
• Elevated CPU/memory usage on the identity service following SAML traffic bursts.
• Anomalous traffic patterns to SAML endpoints (unusual payloads, malformed responses).
• Increased authentication errors during incidents.

Mitigation and prioritisation

• Apply vendor patch or upgrade to a fixed release as soon as available; verify compatibility in staging first.
• Implement input validation and strict SAML response handling; enable rate-limiting and WAF rules for the SAML endpoint.
• Monitor and alert on SAML processing crashes; establish a hotfix window if DoS signals appear.
• Review change-management plans for identity services; prepare rollback and testing scripts.
• If KEV or EPSS data later indicate exploitation risk, treat as priority 1.