GHSA-52JX-G6M5-H735

Vulnerability from github – Published: 2025-03-06 19:12 – Updated: 2026-01-21 16:51
VLAI?
Summary
Fleet has SAML authentication vulnerability due to improper SAML response validation
Details

Summary

A vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).

Impact

In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:

  • Forge authentication assertions, potentially impersonating legitimate users.
  • If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
  • If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.

This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration.

Patches

This issue is addressed in commit fc96cc4 and is available in Fleet version 4.64.2.

The following backport versions also address this issue:

  • 4.63.2
  • 4.62.4
  • 4.58.1
  • 4.53.2

Workarounds

If an immediate upgrade is not possible, Fleet users should temporarily disable single-sign-on (SSO) and use password authentication.

Credit

Thank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our responsible disclosure process.

For more information

If you have any questions or comments about this advisory:

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.64.0"
            },
            {
              "fixed": "4.64.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.63.0"
            },
            {
              "fixed": "4.63.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.62.0"
            },
            {
              "fixed": "4.62.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.54.0"
            },
            {
              "fixed": "4.58.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.53.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T19:12:27Z",
    "nvd_published_at": "2025-03-06T19:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA vulnerability in Fleet\u2019s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).\n\n### Impact\n\nIn vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:\n\n- Forge authentication assertions, potentially impersonating legitimate users.\n- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.\n- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.\n\nThis could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. \n\n### Patches\n\nThis issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2.\n\nThe following backport versions also address this issue: \n\n- 4.63.2\n- 4.62.4\n- 4.58.1\n- 4.53.2\n\n### Workarounds\n\nIf an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication.\n\n### Credit\n\nThank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at security@fleetdm.com\n- Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
  "id": "GHSA-52jx-g6m5-h735",
  "modified": "2026-01-21T16:51:42Z",
  "published": "2025-03-06T19:12:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet has SAML authentication vulnerability due to improper SAML response validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.