{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46784", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2025-05-07T13:20:21.670Z", "datePublished": "2025-11-05T14:56:57.782Z", "dateUpdated": "2025-11-05T22:34:21.323Z"}, "containers": {"cna": {"affected": [{"vendor": "Entr'ouvert", "product": "Lasso", "versions": [{"version": "2.5.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-401: Improper Release of Memory Before Removing Last Reference", "type": "CWE", "cweId": "CWE-401"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2025-11-05T22:34:21.323Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}], "credits": [{"lang": "en", "value": "Discovered by Keane O'Kelley of and another member of Cisco Advanced Security Initiative Group"}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-05T17:04:18.233Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T19:01:04.745056Z", "id": "CVE-2025-46784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T19:01:16.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-05T17:04:18.233Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T19:01:04.745056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T19:01:11.494Z"}}], "cna": {"credits": [{"lang": "en", "value": "Discovered by Keane O'Kelley of and another member of Cisco Advanced Security Initiative Group"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Entr'ouvert", "product": "Lasso", "versions": [{"status": "affected", "version": "2.5.1"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Improper Release of Memory Before Removing Last Reference"}]}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2025-11-05T22:34:21.323Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46784", "state": "PUBLISHED", "dateUpdated": "2025-11-05T22:34:21.323Z", "dateReserved": "2025-05-07T13:20:21.670Z", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "datePublished": "2025-11-05T14:56:57.782Z", "assignerShortName": "talos"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:entrouvert:lasso:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "7177DC8A-9874-45BA-BC80-17604D8A0875", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability."}], "id": "CVE-2025-46784", "lastModified": "2025-11-07T20:01:13.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-11-05T15:15:39.030", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2195"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "lasso: Memory exhaustion in Entr'ouvert Lasso", "id": "2412742", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412742"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-401", "details": ["A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-46784", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "lasso", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-05T14:56:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-46784\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-46784\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2025-2195\nhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2195"], "statement": "This flaw describes an availability impact which is limited when exploited in the context of a Red Hat Product. A host system is not directly affected and so the impact is limited.", "threat_severity": "Moderate"}