SQL Injection Flaw in Shibboleth Service Provider Affects Database Configurations
CVE-2025-9943

9.1CRITICAL

Key Information:

Vendor

Shibboleth

Status
Service Provider
Vendor
CVE Published:
10 September 2025

What is CVE-2025-9943?

An SQL injection vulnerability exists in the 'ID' attribute of the SAML response within configurations where the replay cache for the Shibboleth Service Provider utilizes an SQL database for storage. This flaw permits anonymous attackers to exploit blind SQL injection techniques, enabling unauthorized data extraction from the database when the database connection leverages the ODBC plugin. The root cause is traced to inadequate escaping of single quotes in the SQLString class, specifically found in the odbc-store.cpp file. This issue impacts versions up to and including 3.5.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Service Provider 0 <= 3.5.0

References

https://shibboleth.net/community/advisories/secadv_202509...
vendor-advisory
https://r.sec-consult.com/shibboleth
third-party-advisory
https://shibboleth.net/downloads/service-provider/3.5.1/
patch

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Florian Stuhlmann, SEC Consult Vulnerability Lab
JSON
.