GHSA-ppm4-r2vc-pg74
MEDIUMSimpleSAMLphp Information Disclosure vulnerability
Blast Radius
simplesamlphp/simplesamlphpReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Background
SimpleSAMLphp 1.17 includes a preview of the new user interface to be included in the future version 2.0. This new user interface can be enabled by setting the usenewui configuration option to true, and it includes a new admin interface in a module called admin, which can be disabled.
Description
The new admin interface includes a way to view information about the host where SimpleSAMLphp is installed, by means of the phpinfo() PHP function. An endpoint that exposes the output of that function is included in the admin module for easier debugging.
The aforementioned endpoint had no checks for administrator privileges. This would allow any individual to access the given endpoint without authenticating, gathering information about the affected system.
Affected versions
All SimpleSAMLphp 1.17 versions up to 1.17.7 are affected, provided that the new, experimental use interface is enabled, together with the new admin module.
Impact
An attacker could leverage this issue by accessing the unprotected endpoint and gather intelligence about the host where SimpleSAMLphp is deployed, using it later for their own advantage in case other issues arise.
However, the impact of this issue is deemed as low, given that the new user interface must be explicitly enabled by means of the usenewui configuration option, and the new admin module must also be enabled.
Resolution
Upgrade to SimpleSAMLphp 1.17.8 or 1.18. This can be done by downloading the package, or by running composer update. Refer to the documentation for instructions on how to run composer.
Alternatively, the issue can be mitigated by either disabling the new user interface by setting the usenewui configuration option to false, or by disabling the admin module in the configuration:
'module.enable' => [
...
'admin' => false,
...
],
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | simplesamlphp/simplesamlphp | ≥ 1.17.0&&< 1.17.8 | 1.17.8 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for simplesamlphp/simplesamlphp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update simplesamlphp/simplesamlphp to 1.17.8 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ppm4-r2vc-pg74 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-ppm4-r2vc-pg74 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-ppm4-r2vc-pg74. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-ppm4-r2vc-pg74 in your dependencies?
O3 detects GHSA-ppm4-r2vc-pg74 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.