CVE-2023-26483
CVE-2023-26483 is a medium-severity vulnerability in Gosaml2 Project Gosaml2 with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-409.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-409
- Affected product: Gosaml2 Project Gosaml2
- Published:
- Last modified:
Description
gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.
Frequently asked questions
- What is CVE-2023-26483?
- gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.
- How severe is CVE-2023-26483?
- CVE-2023-26483 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2023-26483 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-26483?
- CVE-2023-26483 affects Gosaml2 Project Gosaml2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-26483?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-26483 published?
- CVE-2023-26483 was published on 2023-03-03 and last updated on 2026-06-17.
References
- https://github.com/russellhaering/gosaml2/commit/f9d66040241093e8702649baff50cc70d2c683c0
- https://github.com/russellhaering/gosaml2/releases/tag/v0.9.0
- https://github.com/russellhaering/gosaml2/security/advisories/GHSA-6gc3-crp7-25w5
- https://pkg.go.dev/vuln/GO-2023-1602
Affected products (1)
- cpe:2.3:a:gosaml2_project:gosaml2:*:*:*:*:*:*:*:*
More vulnerabilities in Gosaml2 Project Gosaml2
- CVE-2020-7731 — High (CVSS 7.5): This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer…
All CVEs affecting Gosaml2 Project Gosaml2 →
Other CWE-409 vulnerabilities
- CVE-2026-55195 — High (CVSS 8.7): py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and…
- CVE-2026-53430 — High (CVSS 8.7): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc…
- CVE-2026-44697 — High (CVSS 8.6): Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated…
- CVE-2026-49755 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows…
- CVE-2026-48594 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of…
- CVE-2026-43970 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows…