CVE-2025-27509: Fleet has SAML authentication vulnerability due to improper SAML response validation
(updated )
In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:
- Forge authentication assertions, potentially impersonating legitimate users.
- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.
This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration.
References
- github.com/advisories/GHSA-52jx-g6m5-h735
- github.com/fleetdm/fleet
- github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb
- github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2
- github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735
- nvd.nist.gov/vuln/detail/CVE-2025-27509
- pkg.go.dev/vuln/GO-2025-3505
Detect and mitigate CVE-2025-27509 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →