CVE Alert: CVE-2025-46784 – Entr’ouvert – Lasso

Risk verdict

High risk of remote denial-of-service on Entr\’ouvert Lasso 2.5.1, with exploitation not currently flagged as active.

Why this matters

A malformed SAML response can exhaust memory and crash the service, disrupting authentication flows and causing downtime. The impact can cascade to user access, business operations, and customer trust, especially in identity-driven environments.

Most likely attack path

An unauthenticated attacker reachable over the network sends a crafted SAML response to the Lasso component that processes SAML messages. No user interaction or privileges are required, so a single remote trigger can induce a DoS without broader access. Given the unchanged scope, the impact remains local to the affected service instance, though high availability may be compromised for dependent systems.

Who is most exposed

Plans and deployments that expose Lasso’s SAML handling to the Internet or untrusted networks are most at risk, particularly in IdP gateways, SSO bridges, or cloud/on-prem integrations with public endpoints.

Detection ideas

• Sudden spikes in memory/CPU and service restarts on the Lasso node.
• Logs showing failed SAML processing or malformed SAML payloads.
• Unusual traffic to SAML endpoints, including large or malformed responses.
• Crash dumps or heap errors linked to lasso_node_init_from_message_with_format.
• Monitoring alerts for authentication service downtime or degraded SSO performance.

Mitigation and prioritisation

• Patch to a fixed version or vendor-recommended update immediately; verify release notes for DoS fixes.
• Implement input validation and strict SAML response size controls at the gateway.
• Enable rate limiting and WAF rules to block malformed SAML messages.
• Segment and harden SAML endpoints; restrict exposure of the SSO interface.
• Plan a change window for upgrade and conduct regression tests around authentication flows.