CVE-2025-47151

Published Nov 5, 2025

Last updated 6 months ago

CVSS critical 9.8
AWS

Overview

Description
A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.
Source
talos-cna@cisco.com
NVD status
Analyzed
Products
lasso

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

talos-cna@cisco.com
CWE-843

Social media

Hype score
Not currently trending

  1. CVE-2025-47151: Entr'ouvert Lasso type confusion RCE (CVSS 9.8). SAML implementation library vulnerable via crafted XML parsing. SSO infrastructure bugs enable lateral movement across federated environments. Patch: https://t.co/YATuDUzyJa

    @gothburz

    15 Nov 2025

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-47151 (CVSS:9.8, CRITICAL) is Analyzed. A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 ..https://t.co/imA3C3avqG #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    10 Nov 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-47151: CRITICAL] Type confusion in Entr'ouvert Lasso 2.5.1 and 2.8.2 allows attackers to execute arbitrary code via crafted SAML response, exploiting lasso_node_impl_init_from_xml vulnerability.#cve,CVE-2025-47151,#cybersecurity https://t.co/uD0701bIMf https://t.co/nZY8

    @CveFindCom

    5 Nov 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-47151 Type Confusion Vulnerability in Entr'ouvert Lasso 2.5.1 and 2.8.2 Enables Arbitrary Code Execution https://t.co/VGvL3HGsgL

    @VulmonFeeds

    5 Nov 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. **CVE-2025-47151** is a **type confusion vulnerability** found within the `lasso_node_impl_init_from_xml` function of **Entr'ouvert Lasso versions 2.5.1 and 2.8.2**. It allows an attacker who can send a **malformed SAML response** (Security Assertion Markup Language, often used

    @CveTodo

    5 Nov 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-47151 A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response c… https://t.co/4KVyoLlYtf

    @CVEnew

    5 Nov 2025

    189 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2024-31884
  2. Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5709
  3. Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5707
  4. Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5708
  5. Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations. To remediate this issue, users should upgrade to version 2.1.0.0.CVE-2026-35562

References

Sources include official advisories and independent security research.