CVE-2025-0182 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the danswer-ai/danswer product, specifically version 0.9.0. The root cause is the inclusion of a vulnerable starlette package version (<=0.49) used via the fastapi framework, which fails to impose limits on memory allocation when handling requests to the /auth/saml/callback endpoint. This endpoint is typically involved in SAML authentication workflows. An attacker can exploit this vulnerability by sending a high volume of unauthenticated requests to this endpoint, causing the application to allocate memory uncontrollably until exhaustion occurs, resulting in denial of service (DoS). The vulnerability has a CVSS v3.0 score of 7.5 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability. The issue was addressed in fastapi version 0.115.3, which includes patches to the starlette package to enforce resource limits and prevent memory exhaustion. No public exploit code or active exploitation has been reported to date. This vulnerability highlights the risks of indirect dependencies in software stacks and the importance of timely updates to underlying frameworks. Organizations using danswer-ai/danswer should verify their dependency versions and upgrade accordingly to mitigate the risk.

The primary impact of CVE-2025-0182 is denial of service through memory exhaustion, which can disrupt availability of the danswer-ai/danswer service. For European organizations, this can lead to service outages, particularly affecting authentication processes relying on the /auth/saml/callback endpoint. This disruption can impede user access, delay business operations, and potentially affect dependent systems integrated with danswer-ai/danswer. Since the vulnerability does not compromise confidentiality or integrity, data breaches are unlikely; however, the loss of availability can have significant operational and reputational consequences. Organizations in sectors with high reliance on SAML authentication, such as government, finance, healthcare, and critical infrastructure, may face increased risk. Additionally, denial of service attacks can be leveraged as part of multi-stage attacks or to distract security teams. The lack of required authentication or user interaction for exploitation increases the threat surface, making it easier for attackers to launch attacks remotely over the network.

To mitigate CVE-2025-0182, organizations should: 1) Upgrade fastapi to version 0.115.3 or later, which includes the patched starlette package that enforces resource limits and prevents memory exhaustion. 2) If upgrading is not immediately feasible, implement network-level rate limiting and request throttling specifically targeting the /auth/saml/callback endpoint to reduce the risk of resource exhaustion. 3) Monitor application logs and network traffic for unusual spikes in requests to the vulnerable endpoint, enabling early detection of exploitation attempts. 4) Employ Web Application Firewalls (WAFs) with custom rules to block or challenge excessive requests to the affected endpoint. 5) Review and update dependency management processes to ensure timely patching of indirect dependencies like starlette. 6) Conduct regular penetration testing and vulnerability scanning focused on authentication endpoints to identify similar resource exhaustion risks. 7) Consider implementing circuit breakers or memory usage alerts within the application to detect and mitigate abnormal resource consumption dynamically.