SUMMARY

A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Entr’ouvert Lasso 2.5.1
Entr’ouvert Lasso 2.8.2

PRODUCT URLS

Lasso - https://lasso.entrouvert.org/

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-617 - Reachable Assertion

DETAILS

The Lasso SAML Library is an open-source implementation of the Security Assertion Markup Language (SAML) standard, primarily used for enabling single sign-on (SSO) functionality across web applications. It provides tools for SAML authentication, handling assertions, metadata parsing, and service provider (SP) and identity provider (IdP) interactions.

A remote attacker can cause a crash by sending a malformed SAML authentication request and triggering an assertion error in the lasso_node_impl_init_from_xml function within the lasso SAML library. This occurs if the library is built with the g_assert_not_reached macro enabled ( default functionality ). The root cause in this defect is at line 1750 of lasso/xml/xml.c. The macro can be triggered by sending XML data that, when parsed, is not considered a comment or of type XML_ELEMENT_NODE.

Line 1435    static int
Line 1436    lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
Line 1437    {
Line 	        (...)
Line 1646	    } else if (t->type == XML_COMMENT_NODE || t->type == XML_PI_NODE || t->type == XML_TEXT_NODE) {
Line 1440			/* ignore comments */
Line 1441			continue;
Line 1646		} else if (t->type == XML_ELEMENT_NODE) {
Line 1647			LassoNode *subnode = NULL;
Line 1648			xmlNode *first_child = NULL;
Line 1649			GList **list = NULL;
Line 1650			xmlChar *content = NULL;
Line 1651			gboolean match = FALSE;
Line 1652			struct XmlSnippet *matched_snippet = NULL;
Line 1653      (...)
Line 1654        } else {
Line 1655			g_assert_not_reached();
Line 1656		}

TIMELINE

2025-05-13 - Initial Vendor Contact
2025-05-14 - Vendor Disclosure
2025-08-12 - Vendor Patch Release
2025-11-05 - Public Release