cbcvebase.
CVE-2025-9943
published 2025-09-10

CVE-2025-9943: An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.37%
28.6th percentile
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianshibboleth-sp< shibboleth-sp 3.4.1+dfsg-2+deb12u1 (bookworm)shibboleth-sp 3.4.1+dfsg-2+deb12u1 (bookworm)
internet2shibboleth-sp>= 0 < 3.2.2+dfsg1-1+deb11u13.2.2+dfsg1-1+deb11u1
internet2shibboleth-sp>= 0 < 3.4.1+dfsg-2+deb12u13.4.1+dfsg-2+deb12u1
internet2shibboleth-sp>= 0 < 3.5.0+dfsg-2+deb13u13.5.0+dfsg-2+deb13u1
internet2shibboleth-sp>= 0 < 3.5.1+dfsg-13.5.1+dfsg-1
shibbolethservice_provider<= 3.5.0

Detection & IOCsextracted from sources · hover to see the quote

  • SQL injection entry point is the 'ID' attribute of the SAML response; monitor for anomalous or oversized/malformed ID attribute values containing SQL metacharacters (e.g., single quotes) in SAML assertions directed at Shibboleth SP endpoints
  • The vulnerability is exploited as blind SQL injection; look for repeated SAML POST requests with systematically varying ID attribute values (boolean-based or time-based blind SQLi patterns) to the SP's assertion consumer service (ACS) endpoint
  • Exploitation requires the ODBC plugin to be in use for the database connection; triage alerts by confirming the SP's storage service is configured with the ODBC plugin before escalating
  • The vulnerable code path is in the SQLString class within odbc-store.cpp (lines 253-271); insufficient escaping of single quotes is the root cause — inspect SP logs for SQL errors or unexpected query behaviour originating from that code path
  • ·Vulnerability is only exploitable when the Shibboleth SP replay cache storage service is configured to use an SQL database backend — deployments using other storage backends (e.g., memcache, in-memory) are not affected
  • ·The ODBC plugin must be the configured database connector; SQL database backends using other drivers are not confirmed vulnerable
  • ·All Shibboleth SP versions through 3.5.0 are affected; Debian has issued fixes across stable/testing/sid branches (bookworm: 3.4.1+dfsg-2+deb12u1, bullseye: 3.2.2+dfsg1-1+deb11u1, trixie: 3.5.0+dfsg-2+deb13u1, forky/sid: 3.5.1+dfsg-1)

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.