CVE-2025-27773 - Create a new Release to force the SAML2 library update [#3513011]

Problem/Motivation

This was discussed in https://security.drupal.org/node/182873. The decision was to manage the issue publicly in a non-security release to address CVE-2025-27773.

https://nvd.nist.gov/vuln/detail/CVE-2025-27773
https://feedly.com/cve/CVE-2025-27773

Anyone manually running `composer audit` or using a tool/service that checks that would be aware of security update in 3 levels into their project (project->simplesamlphp_auth->simplesaml->saml2) and would apply the update with `composer update` unless there was some other dependency requiring < 2.3.7 or simplesamlphp/simplesamlphp was pinned at 2.3.5 for some reason.

Proposed resolution

Update https://git.drupalcode.org/project/simplesamlphp_auth/-/blob/4.x/compose... to require ^2.3.5

Remaining tasks

Merge and roll release with info about CVE-2025-27773 in the release notes.

Issue fork simplesamlphp_auth-3513011

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

simplesamlphp_auth-4.x-3513011 compare
Check out this branch for the first time

Check out existing branch, if you already have it locally
3513011-cve-2025-27773---create compare
Check out this branch for the first time

Check out existing branch, if you already have it locally

CVE-2025-27773 - Create a new Release to force the SAML2 library update

Problem/Motivation

Proposed resolution

Remaining tasks

Issue fork simplesamlphp_auth-3513011

Comments

Comment #1

Child issues

News items

Our community

Documentation

Drupal code base

Governance of community