- Issue created by @kreynen
This was discussed in https://security.drupal.org/node/182873. The decision was to manage the issue publicly in a non-security release to address CVE-2025-27773.
https://nvd.nist.gov/vuln/detail/CVE-2025-27773
https://feedly.com/cve/CVE-2025-27773
Anyone manually running `composer audit
` or using a tool/service that checks that would be aware of security update in 3 levels into their project (project->simplesamlphp_auth->simplesaml->saml2) and would apply the update with `composer update
` unless there was some other dependency requiring < 2.3.7 or simplesamlphp/simplesamlphp was pinned at 2.3.5 for some reason.
Update https://git.drupalcode.org/project/simplesamlphp_auth/-/blob/4.x/compose... to require ^2.3.5
Merge and roll release with info about CVE-2025-27773 in the release notes.
Active
4.0
Code