CVE-2025-9943 is a critical SQL injection vulnerability affecting the Shibboleth Service Provider (SP) software up to version 3.5.0. The vulnerability specifically arises in the handling of the "ID" attribute within the SAML response when the replay cache is configured to use an SQL database via the ODBC plugin. The root cause is insufficient sanitization and escaping of single quotes in the SQLString class (notably in odbc-store.cpp, lines 253-271), which allows an unauthenticated attacker to perform blind SQL injection attacks. This means that an attacker can craft malicious SAML responses with specially crafted "ID" attributes that inject SQL commands into the backend database queries. Because the replay cache uses the database to store SAML response IDs to prevent replay attacks, this injection point is critical. Exploitation does not require authentication or user interaction, and the attacker can extract arbitrary data from the database, potentially including sensitive identity information or credentials. The vulnerability is particularly severe because it affects a core component of federated identity management widely used in academic, government, and enterprise environments for single sign-on (SSO) and identity federation. The lack of a CVSS score indicates this is a newly disclosed vulnerability, but its characteristics align with high-severity SQL injection flaws. No known exploits are currently reported in the wild, but the attack vector is straightforward given the unauthenticated nature and the direct injection point in the SAML response processing.

For European organizations, the impact of this vulnerability is significant. Shibboleth Service Provider is widely deployed across European universities, research institutions, and government agencies as part of federated identity solutions (e.g., eduGAIN). Exploitation could lead to unauthorized data disclosure from backend databases, compromising user identities, authentication tokens, and potentially other sensitive information stored in the replay cache database. This could undermine trust in federated authentication systems, lead to identity theft, unauthorized access to protected resources, and data breaches subject to GDPR regulations. The ability to extract arbitrary data without authentication increases the risk of large-scale data leakage. Additionally, disruption of the replay cache could allow replay attacks or denial of service conditions, impacting availability of authentication services. The reputational damage and regulatory penalties for affected organizations could be substantial, especially in sectors handling sensitive personal or governmental data.

Organizations using Shibboleth SP with SQL-based replay cache storage via the ODBC plugin should immediately review their configurations and apply patches or updates as soon as they become available from the vendor. In the absence of an official patch, mitigation steps include: 1) Temporarily disabling the SQL-based replay cache or switching to an alternative non-SQL storage backend to eliminate the injection vector. 2) Implementing strict input validation and sanitization on all SAML response attributes, especially the "ID" attribute, at the application or proxy level. 3) Restricting database user permissions to the minimum necessary to limit data exposure in case of injection. 4) Monitoring database logs and application logs for unusual query patterns indicative of injection attempts. 5) Employing Web Application Firewalls (WAFs) with rules targeting SQL injection patterns on SAML endpoints. 6) Conducting thorough security audits and penetration testing focused on SAML processing components. 7) Educating administrators about the risks of using ODBC plugin configurations without proper input sanitization. These steps go beyond generic advice by focusing on configuration changes, monitoring, and layered defenses specific to the Shibboleth replay cache SQL injection vector.