CVE-2024-52596 Overview
CVE-2024-52596 is an XML External Entity (XXE) vulnerability in SimpleSAMLphp xml-common, a library that provides shared classes for handling XML structures across SimpleSAMLphp components. The library loads untrusted XML documents, such as a SAMLResponse, without disabling external entity resolution. An attacker can craft a malicious XML payload that triggers entity expansion when parsed by the underlying DOMDocument loader. The flaw is fixed in xml-common version 1.19.0. The weakness is classified under CWE-611 (Improper Restriction of XML External Entity Reference).
Critical Impact
A remote, unauthenticated attacker can submit crafted XML to read local files, perform server-side request forgery, or disrupt the SAML authentication service.
Affected Products
- SimpleSAMLphp xml-common versions prior to 1.19.0
- Downstream SimpleSAMLphp components that depend on xml-common for SAML message parsing
- Debian LTS packages bundling vulnerable xml-common releases
Discovery Timeline
- 2024-12-02 - CVE-2024-52596 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-52596
Vulnerability Analysis
The vulnerability resides in the XML loading routine implemented in src/DOMDocumentFactory.php. The factory wraps PHP's DOMDocument to parse XML payloads supplied to SimpleSAMLphp, including SAML protocol messages. Before the fix, the parser did not register a restrictive external entity loader, so libxml resolved external entities referenced inside the document type definition (DTD). When the parsed XML originated from an untrusted source, such as an Identity Provider response or a federation metadata file, the attacker controlled which entities libxml resolved.
XXE exploitation against a SAML endpoint is particularly impactful because the endpoint is typically network-reachable and processes attacker-supplied XML by design. Successful exploitation can disclose sensitive files readable by the web server account, route outbound HTTP or file requests to internal services, or cause excessive resource consumption through nested entity expansion.
Root Cause
The root cause is the absence of an explicit call to libxml_set_external_entity_loader() and related hardening before invoking DOMDocument::load() or loadXML(). Without that guard, libxml's default behavior honors SYSTEM and PUBLIC identifiers in the DTD, enabling external entity resolution.
Attack Vector
The attack is delivered over the network through any SimpleSAMLphp endpoint that accepts XML. A typical vector is a crafted SAMLResponse POSTed to the Assertion Consumer Service. No authentication or user interaction is required to deliver the payload.
namespace SimpleSAML\XML;
use DOMDocument;
-use RuntimeException;
use SimpleSAML\Assert\Assert;
use SimpleSAML\XML\Exception\IOException;
+use SimpleSAML\XML\Exception\RuntimeException;
use SimpleSAML\XML\Exception\UnparseableXMLException;
-use function defined;
use function file_get_contents;
+use function func_num_args;
use function libxml_clear_errors;
use function libxml_get_last_error;
+use function libxml_set_external_entity_loader;
use function libxml_use_internal_errors;
use function sprintf;
Source: GitHub patch commit fa4ade39. The patch introduces libxml_set_external_entity_loader so the factory can install a loader that rejects external entity resolution during XML parsing.
Detection Methods for CVE-2024-52596
Indicators of Compromise
- Inbound SAML messages containing a <!DOCTYPE> declaration or <!ENTITY> definitions referencing SYSTEM or PUBLIC identifiers.
- Outbound HTTP, FTP, or file:// requests originating from the SimpleSAMLphp host immediately after processing a SAML request.
- Web server error logs referencing libxml warnings, failed entity loads, or unexpected file access from the PHP-FPM or Apache user.
Detection Strategies
- Inspect SAML traffic at the reverse proxy or WAF for XML payloads that include DTD declarations, since legitimate SAML assertions do not require them.
- Hunt for processes spawned by the web server reading files outside the SimpleSAMLphp document root, such as /etc/passwd or configuration files.
- Correlate authentication endpoint requests with anomalous DNS resolutions or egress connections to attacker-controlled hosts.
Monitoring Recommendations
- Enable verbose logging in SimpleSAMLphp and forward logs to a centralized analytics platform for retention and search.
- Alert on the SimpleSAMLphp host opening sockets to internal RFC1918 ranges that are not part of the documented federation topology.
- Track the installed version of the simplesamlphp/xml-common Composer package across hosts and flag any release earlier than 1.19.0.
How to Mitigate CVE-2024-52596
Immediate Actions Required
- Upgrade simplesamlphp/xml-common to version 1.19.0 or later using Composer and redeploy all dependent applications.
- Apply the corresponding Debian LTS package update referenced in the Debian LTS announcement.
- Audit recent web server and SimpleSAMLphp logs for SAML payloads containing DTD or entity declarations.
Patch Information
The fix is published in commit fa4ade39 and described in GHSA-2x65-fpch-2fcm. The patch installs a custom libxml external entity loader that prevents resolution of SYSTEM and PUBLIC references during DOMDocument parsing. Upgrading the package to 1.19.0 is the authoritative remediation.
Workarounds
- Front SimpleSAMLphp endpoints with a WAF rule that rejects XML payloads containing <!DOCTYPE or <!ENTITY declarations.
- Restrict outbound network access from the SimpleSAMLphp host so that exploited XXE payloads cannot reach internal services or external collectors.
- Run the PHP worker under a least-privilege account with read access limited to required directories to constrain file disclosure impact.
# Upgrade xml-common to the patched release
composer require simplesamlphp/xml-common:^1.19.0
composer update simplesamlphp/xml-common
# Verify installed version
composer show simplesamlphp/xml-common | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
