CVE-2025-24895

CVE-2025-24895 is a critical vulnerability in the CIE.AspNetCore.Authentication library, an ASP.NET Core remote authenticator for CIE 3.0 that handles SAML2 assertion validation for Service Providers (SPs) in SPID and CIE authentication systems. The flaw stems from inadequate signature validation in SAML responses, where there is no guarantee that the first signature applies to the root object. This allows an attacker to inject a legitimately signed XML element—easily obtained from the Identity Provider's (IdP) public metadata—as the first element, causing subsequent signatures to go unverified. Affected versions are those prior to 2.1.0, mapped to CWE-287 (Improper Authentication), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated remote attackers can exploit this vulnerability by crafting an arbitrary SAML response that vulnerable SPs will accept as valid. By positioning a signed element from IdP metadata at the front, the attacker bypasses core validation logic, enabling full impersonation of any SPID or CIE user. Exploitation requires no user interaction or privileges, granting high confidentiality and integrity impacts, such as unauthorized access to protected resources.

The GitHub security advisory (https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486) states that the issue is fully addressed in version 2.1.0, urging all users to upgrade immediately. No workarounds are available.