GHSA-5cjr-mxj5-wmrx: SimpleSAMLphp has Possible DoS via XPath Transform
SimpleSAMLphp versions prior to 4.20.3 are vulnerable to a denial-of-service (DoS) attack via XPath transforms. The vulnerability allows an attacker to send specially crafted messages that cause resource exhaustion. A mitigation has been implemented to restrict the number and type of transforms, specifically disallowing XPath transforms as per the SAML 2.0 Core Specifications.
AI Analysis
Technical Summary
SimpleSAMLphp's SAML2 library is vulnerable to a denial-of-service attack through the use of XPath transforms. Attackers can exploit this by sending crafted messages that trigger excessive processing. The vulnerability is identified as CWE-400 (Uncontrolled Resource Consumption). The issue affects versions before 4.20.3. Mitigations restrict transform algorithms to those defined in the SAML 2.0 Core Specifications and refuse XPath transforms to prevent exploitation.
Potential Impact
An attacker can cause a denial-of-service condition on any entity relying on vulnerable versions of SimpleSAMLphp by sending specially crafted SAML messages that exploit XPath transforms. This results in resource exhaustion and service unavailability. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Upgrade to SimpleSAMLphp version 4.20.3 or later, where the vulnerability is mitigated by restricting the number of transforms and disallowing XPath transforms. No other mitigation is indicated. Patch status is confirmed by the affected version range and description.
GHSA-5cjr-mxj5-wmrx: SimpleSAMLphp has Possible DoS via XPath Transform
Description
SimpleSAMLphp versions prior to 4.20.3 are vulnerable to a denial-of-service (DoS) attack via XPath transforms. The vulnerability allows an attacker to send specially crafted messages that cause resource exhaustion. A mitigation has been implemented to restrict the number and type of transforms, specifically disallowing XPath transforms as per the SAML 2.0 Core Specifications.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SimpleSAMLphp's SAML2 library is vulnerable to a denial-of-service attack through the use of XPath transforms. Attackers can exploit this by sending crafted messages that trigger excessive processing. The vulnerability is identified as CWE-400 (Uncontrolled Resource Consumption). The issue affects versions before 4.20.3. Mitigations restrict transform algorithms to those defined in the SAML 2.0 Core Specifications and refuse XPath transforms to prevent exploitation.
Potential Impact
An attacker can cause a denial-of-service condition on any entity relying on vulnerable versions of SimpleSAMLphp by sending specially crafted SAML messages that exploit XPath transforms. This results in resource exhaustion and service unavailability. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Upgrade to SimpleSAMLphp version 4.20.3 or later, where the vulnerability is mitigated by restricting the number of transforms and disallowing XPath transforms. No other mitigation is indicated. Patch status is confirmed by the affected version range and description.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5cjr-mxj5-wmrx
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49289"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a46ecb227e9c7971943c587
Added to database: 07/02/2026, 22:56:50 UTC
Last enriched: 07/02/2026, 23:08:01 UTC
Last updated: 07/02/2026, 23:08:01 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.