平台
dotnet
组件
spid.aspnetcore.authentication
修复版本
3.4.1
3.4.0
CVE-2025-24894 describes a critical vulnerability within the SPID.AspNetCore.Authentication library, a component used for authentication leveraging the SAML2 standard. This flaw allows attackers to potentially bypass authentication mechanisms, granting them unauthorized access to protected resources. The vulnerability impacts versions of SPID.AspNetCore.Authentication up to and including 3.3.0-prerelease, and a fix is available in version 3.4.0.
The core of the vulnerability lies in the library's handling of SAML assertions, the data exchanged between the Identity Provider (IdP) and the Service Provider (SP) during authentication. An attacker can craft malicious SAML assertions, manipulating the identity information presented to the Service Provider. This manipulation could allow them to impersonate legitimate users, gain access to sensitive data, or escalate privileges within the system. The potential impact is significant, as successful exploitation could compromise the entire application relying on SPID.AspNetCore.Authentication for authentication. The SPID library acts as the Service Provider (SP) in the SAML2 flow, making it a critical point of attack.
CVE-2025-24894 was publicly disclosed on 2025-02-18. Currently, there are no known public proof-of-concept exploits available. The vulnerability's criticality (CVSS 9.1) suggests a potentially high probability of exploitation if a suitable exploit is developed. It is not currently listed on the CISA KEV catalog.
Applications and services relying on SPID.AspNetCore.Authentication for authentication, particularly those handling sensitive data or critical functions, are at significant risk. Organizations using older, unpatched versions of the library, or those with custom authentication logic built on top of SPID.AspNetCore.Authentication, should prioritize remediation.
• .NET / ASP.NET Core:
Get-Package -Name SPID.AspNetCore.Authentication | Select-Object Version• .NET / ASP.NET Core: Check for versions <= 3.3.0-prerelease in project files or NuGet package manager. • .NET / ASP.NET Core: Monitor application logs for unusual SAML assertion processing errors or authentication failures. • .NET / ASP.NET Core: Review code for any custom SAML assertion handling logic that might be vulnerable to manipulation.
disclosure
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-24894 is to immediately upgrade to version 3.4.0 of SPID.AspNetCore.Authentication. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter validation of incoming SAML assertions at the Service Provider level. This might involve verifying the signature of the assertion, checking the issuer, and validating the attributes contained within the assertion. Web Application Firewalls (WAFs) configured to inspect SAML traffic can also provide a layer of defense by detecting and blocking malicious assertions. After upgrading, confirm the fix by attempting to authenticate with a test user and verifying that the application behaves as expected.
升级 SPID.AspNetCore.Authentication 库到 3.4.0 或更高版本。此版本包含对 SAML 响应签名验证绕过漏洞的修复。升级将缓解身份冒充的风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-24894 is a critical vulnerability (CVSS 9.1) in SPID.AspNetCore.Authentication versions up to 3.3.0-prerelease. It allows attackers to potentially bypass authentication by manipulating SAML assertions.
Yes, if you are using SPID.AspNetCore.Authentication versions 3.3.0-prerelease or earlier, you are affected by this vulnerability.
Upgrade to version 3.4.0 of SPID.AspNetCore.Authentication to remediate the vulnerability. If immediate upgrade is not possible, implement stricter SAML assertion validation.
Currently, there are no known active exploits, but the high CVSS score suggests a potential for future exploitation.
Refer to the official SPID project documentation and security advisories for the latest information and updates regarding CVE-2025-24894.
上传你的 packages.lock.json 文件,立即知道是否受影响。