Description
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p
Patch x_refsource_misc
https://github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021
Scores
CVSS v3
7.5
EPSS
0.0070
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
crewjam/saml
0 - 0.4.13Go
saml_project/saml
0.4.12
Published
Mar 22, 2023
Tracked Since
Feb 18, 2026