CVE-2025-46404 is a denial of service (DoS) vulnerability identified in Entr'ouvert Lasso version 2.5.1, specifically within the function lasso_provider_verify_saml_signature. This function is responsible for verifying the digital signature of SAML responses, a critical step in SAML-based single sign-on (SSO) and identity federation workflows. The vulnerability is classified as CWE-476, a NULL pointer dereference, which occurs when the function processes a specially crafted, malformed SAML response. When such a response is received, the function attempts to dereference a NULL pointer, leading to an application crash or abnormal termination, thereby causing denial of service. The vulnerability can be triggered remotely by an unauthenticated attacker who sends a malicious SAML response to the vulnerable system. The CVSS v3.1 base score is 7.5, reflecting high severity due to the network attack vector, no required privileges or user interaction, and the impact being limited to availability (no confidentiality or integrity loss). No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 5, 2025). This vulnerability affects only version 2.5.1 of Entr'ouvert Lasso, a widely used open-source SAML toolkit that facilitates SAML protocol handling in web applications and identity providers. The flaw could disrupt authentication services, potentially impacting dependent applications and users.

The primary impact of CVE-2025-46404 is denial of service, affecting the availability of authentication services that rely on Entr'ouvert Lasso 2.5.1 for SAML signature verification. For European organizations, this could lead to temporary outages of single sign-on systems, identity federation services, or other applications dependent on SAML authentication, resulting in user access disruptions and operational downtime. Critical sectors such as government, finance, healthcare, and telecommunications that utilize SAML for secure federated access could experience significant service interruptions. While confidentiality and integrity are not compromised, the loss of availability can hinder business continuity and user productivity. The ease of exploitation—requiring no authentication or user interaction—means attackers can remotely trigger the DoS condition, potentially as part of a broader attack campaign or to cause targeted disruption. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Organizations with high dependency on Entr'ouvert Lasso for identity management should prioritize mitigation to avoid service degradation or denial.

To mitigate CVE-2025-46404, organizations should first monitor Entr'ouvert's official channels for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, implement network-level filtering to detect and block malformed or suspicious SAML responses before they reach the Lasso processing component. Deploy Web Application Firewalls (WAFs) or SAML-aware proxies capable of validating SAML message structure and signatures to prevent malformed inputs. Review and harden SAML response handling configurations to reject unexpected or non-compliant messages. Conduct thorough testing of authentication workflows to identify potential crash triggers. Additionally, implement robust monitoring and alerting for abnormal application crashes or service interruptions related to SAML processing. Consider deploying redundancy or failover mechanisms for authentication services to maintain availability during potential DoS events. Finally, educate security and IT teams about this vulnerability to ensure rapid incident response if exploitation attempts are detected.