CVE-2025-24894

CVE-2025-24894 is a critical vulnerability in SPID.AspNetCore.Authentication, an ASP.NET Core remote authenticator for SPID that implements SAML2-based authentication between Identity Providers (IdPs) and Service Providers (SPs). The flaw lies in the SAML signature validation logic, which assumes the first signature in a response refers to the root object without verifying this. This enables a signature wrapping attack where an attacker injects a legitimately signed XML element—sourced from the IdP's public metadata—as the first element, causing subsequent signatures to be ignored and allowing arbitrary SAML assertions to be accepted.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and association with CWE-287 (Improper Authentication). By crafting a malicious SAML response, the attacker can impersonate any SPID or CIE user, gaining unauthorized access to SP resources protected by the vulnerable authenticator.

The GitHub security advisory for the SPID.AspNetCore project recommends upgrading to version 3.4.0, where the issue has been addressed. No workarounds are available.