CVE-2025-9943
published 2025-09-10CVE-2025-9943: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.37%
28.6th percentile
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271).
This issue affects Shibboleth Service Provider through 3.5.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | shibboleth-sp | < shibboleth-sp 3.4.1+dfsg-2+deb12u1 (bookworm) | shibboleth-sp 3.4.1+dfsg-2+deb12u1 (bookworm) |
| internet2 | shibboleth-sp | >= 0 < 3.2.2+dfsg1-1+deb11u1 | 3.2.2+dfsg1-1+deb11u1 |
| internet2 | shibboleth-sp | >= 0 < 3.4.1+dfsg-2+deb12u1 | 3.4.1+dfsg-2+deb12u1 |
| internet2 | shibboleth-sp | >= 0 < 3.5.0+dfsg-2+deb13u1 | 3.5.0+dfsg-2+deb13u1 |
| internet2 | shibboleth-sp | >= 0 < 3.5.1+dfsg-1 | 3.5.1+dfsg-1 |
| shibboleth | service_provider | <= 3.5.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection entry point is the 'ID' attribute of the SAML response; monitor for anomalous or oversized/malformed ID attribute values containing SQL metacharacters (e.g., single quotes) in SAML assertions directed at Shibboleth SP endpoints ↗
- →The vulnerability is exploited as blind SQL injection; look for repeated SAML POST requests with systematically varying ID attribute values (boolean-based or time-based blind SQLi patterns) to the SP's assertion consumer service (ACS) endpoint ↗
- →Exploitation requires the ODBC plugin to be in use for the database connection; triage alerts by confirming the SP's storage service is configured with the ODBC plugin before escalating ↗
- →The vulnerable code path is in the SQLString class within odbc-store.cpp (lines 253-271); insufficient escaping of single quotes is the root cause — inspect SP logs for SQL errors or unexpected query behaviour originating from that code path ↗
- ·Vulnerability is only exploitable when the Shibboleth SP replay cache storage service is configured to use an SQL database backend — deployments using other storage backends (e.g., memcache, in-memory) are not affected ↗
- ·The ODBC plugin must be the configured database connector; SQL database backends using other drivers are not confirmed vulnerable ↗
- ·All Shibboleth SP versions through 3.5.0 are affected; Debian has issued fixes across stable/testing/sid branches (bookworm: 3.4.1+dfsg-2+deb12u1, bullseye: 3.2.2+dfsg1-1+deb11u1, trixie: 3.5.0+dfsg-2+deb13u1, forky/sid: 3.5.1+dfsg-1) ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-9943: shibboleth-sp - An SQL injection vulnerability has been identified in the "ID" attribute of the ...
vendor_debian·2025·CVSS 9.1
CVE-2025-9943 [CRITICAL] CVE-2025-9943: shibboleth-sp - An SQL injection vulnerability has been identified in the "ID" attribute of the ...
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.
Scope: local
bookworm: resolved (fixed in 3.4.1+dfsg-2+deb12u1)
bullseye: resolved (fixed in 3.2.2+dfsg1-1+deb11u1)
forky: resolved (fixed in 3.5.1+dfsg-1)
sid: resolved (fixed in 3.5.1+dfs
OSV
CVE-2025-9943: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider
osv·2025-09-10·CVSS 9.1
CVE-2025-9943 [CRITICAL] CVE-2025-9943: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.
GHSA
GHSA-p7fp-v35q-pm7j: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider
ghsa_unreviewed·2025-09-10
CVE-2025-9943 [CRITICAL] CWE-89 GHSA-p7fp-v35q-pm7j: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271).
This issue affects Shibboleth Service Provider through 3.5.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-10
Published