SQL Injection Flaw in Shibboleth Service Provider Affects Database Configurations
CVE-2025-9943

Currently unrated

Key Information:

Vendor: Shibboleth
Status: Service Provider
Vendor: CVE Published:; 10 September 2025

What is CVE-2025-9943?

An SQL injection vulnerability exists in the 'ID' attribute of the SAML response within configurations where the replay cache for the Shibboleth Service Provider utilizes an SQL database for storage. This flaw permits anonymous attackers to exploit blind SQL injection techniques, enabling unauthorized data extraction from the database when the database connection leverages the ODBC plugin. The root cause is traced to inadequate escaping of single quotes in the SQLString class, specifically found in the odbc-store.cpp file. This issue impacts versions up to and including 3.5.0.

Affected Version(s)

Service Provider 0 <= 3.5.0

References

https://shibboleth.net/community/advisories/secadv_202509...

vendor-advisory

https://r.sec-consult.com/shibboleth

third-party-advisory

https://shibboleth.net/downloads/service-provider/3.5.1/

patch

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 10, 2025
Vulnerability Reserved
Sep 3, 2025

Credit

Florian Stuhlmann, SEC Consult Vulnerability Lab