CVE-2025-46404 is a critical vulnerability identified in Entr'ouvert Lasso version 2.5.1, a widely used open-source SAML library that facilitates SAML-based single sign-on (SSO) authentication. The flaw resides in the lasso_provider_verify_saml_signature function, which is responsible for verifying the digital signatures of SAML responses. Specifically, the vulnerability is a NULL pointer dereference (CWE-476) triggered when the function processes a specially crafted, malformed SAML response. This malformed input causes the application to attempt to access or dereference a NULL pointer, leading to a denial of service (DoS) condition by crashing or halting the service. The vulnerability can be exploited remotely over the network without requiring any privileges, although user interaction is necessary in the form of processing the malicious SAML response. The CVSS v3.1 base score is 9.6, reflecting the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability, and low attack complexity. While no known exploits are currently observed in the wild, the potential for disruption is significant given the role of Lasso in authentication workflows. The vulnerability affects only version 2.5.1 of Entr'ouvert Lasso, and no official patches have been released yet. The vulnerability was publicly disclosed on November 5, 2025, with prior reservation in May 2025. The flaw could be leveraged by attackers to disrupt authentication services, potentially causing widespread service outages or forcing fallback to less secure authentication methods.

For European organizations, the impact of CVE-2025-46404 is substantial, particularly for those relying on Entr'ouvert Lasso 2.5.1 for SAML-based authentication in critical systems such as government portals, financial services, healthcare, and large enterprises. A successful exploitation results in denial of service, causing authentication failures and service unavailability, which can disrupt business operations and user access. The critical severity and high CVSS score indicate that confidentiality and integrity could also be impacted if the denial of service leads to fallback on weaker authentication mechanisms or exposes systems to further attacks. The disruption of SAML authentication can affect federated identity management, causing cascading failures in interconnected systems. Additionally, the lack of patches increases the risk window, and the ease of exploitation without privileges or complex conditions heightens the threat. European organizations with stringent compliance requirements (e.g., GDPR) may face regulatory and reputational risks if authentication services are compromised or unavailable.

1. Immediate mitigation involves monitoring and filtering incoming SAML responses to detect and block malformed or suspicious payloads that could trigger the NULL pointer dereference. 2. Deploy Web Application Firewalls (WAFs) or SAML-specific gateways capable of validating SAML assertions before they reach the Lasso library. 3. Implement strict input validation and error handling around SAML response processing to prevent dereferencing NULL pointers. 4. Segregate authentication services and apply rate limiting to reduce the impact of potential denial of service attempts. 5. Engage with Entr'ouvert or community channels to obtain patches or updated versions addressing this vulnerability as soon as they become available. 6. Conduct thorough testing of authentication workflows to identify any abnormal crashes or failures related to SAML processing. 7. Prepare incident response plans specifically for authentication service disruptions, including fallback authentication methods that maintain security posture. 8. Educate security teams and developers about this vulnerability to ensure rapid detection and response. 9. Review and update SAML configurations to minimize exposure, such as restricting trusted identity providers and enforcing strict signature validation policies.