logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-27509 github.com/fleetdm/fleet/v4

Package

Manager: go
Name: github.com/fleetdm/fleet/v4
Vulnerable Version: >=4.64.0 <4.64.2 || >=4.63.0 <4.63.2 || >=4.62.0 <4.62.4 || >=4.54.0 <4.58.1 || >=0 <4.53.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00145 pctl0.35518

Details

Fleet has SAML authentication vulnerability due to improper SAML response validation ### Impact In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to: - Forge authentication assertions, potentially impersonating legitimate users. - If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account. - If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. ### Patches This issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2. The following backport versions also address this issue: - 4.63.2 - 4.62.4 - 4.58.1 - 4.53.2 ### Workarounds If an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication. ### Credit Thank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: - Email us at security@fleetdm.com - Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)

Metadata

Created: 2025-03-06T19:12:27Z
Modified: 2025-03-14T20:32:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-52jx-g6m5-h735/GHSA-52jx-g6m5-h735.json
CWE IDs: ["CWE-285", "CWE-74"]
Alternative ID: GHSA-52jx-g6m5-h735
Finding: F184
Auto approve: 1