High severity8.3NVD Advisory· Published Dec 2, 2024· Updated Apr 15, 2026

CVE-2024-52806

Description

SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
simplesamlphp/saml2Packagist	< 4.6.14	4.6.14
simplesamlphp/saml2-legacyPackagist	< 4.6.14	4.6.14

Patches

6fc78c90cd13

https://github.com/simplesamlphp/saml2via osv

079835eabf77

https://github.com/simplesamlphp/saml2via osv

5fd4ce459665

Merge commit from fork

https://github.com/simplesamlphp/saml2Tim van DijenDec 1, 2024via ghsa

commit

2 files changed · +29 −1

src/SAML2/DOMDocumentFactory.php+13 −1 modified

@@ -30,15 +30,27 @@ public static function fromString(string $xml) : DOMDocument
     {
         if (trim($xml) === '') {
             throw InvalidArgumentException::invalidType('non-empty string', $xml);
+        } elseif (preg_match('/<(\s*)!(\s*)DOCTYPE/', $xml)) {
+            throw new RuntimeException(
+                'Dangerous XML detected, DOCTYPE nodes are not allowed in the XML body'
+            );
         } elseif (PHP_VERSION_ID < 80000) {
             $entityLoader = libxml_disable_entity_loader(true);
+        } else {
+            libxml_set_external_entity_loader(null);
         }
 
         $internalErrors = libxml_use_internal_errors(true);
         libxml_clear_errors();
 
         $domDocument = self::create();
-        $options = LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NONET | LIBXML_PARSEHUGE;
+        $options = LIBXML_NONET | LIBXML_PARSEHUGE;
+
+        /* LIBXML_NO_XXE available from PHP 8.4 */
+        if (defined('LIBXML_NO_XXE')) {
+            $options |= LIBXML_NO_XXE;
+        }
+
         if (defined('LIBXML_COMPACT')) {
             $options |= LIBXML_COMPACT;
         }

tests/SAML2/DOMDocumentFactoryTest.php+16 −0 modified

@@ -99,6 +99,22 @@ public function testStringThatContainsDocTypeIsNotAccepted() : void
     }
 
 
+    /**
+     * @group                    domdocument
+     * @return void
+     */
+    public function testStringThatContainsDocTypeIsNotAccepted2(): void
+    {
+        $xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
+               <!DOCTYPE foo [<!ENTITY % exfiltrate SYSTEM "file://dev/random">%exfiltrate;]>
+               <foo>y</foo>';
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage(
+            'Dangerous XML detected, DOCTYPE nodes are not allowed in the XML body',
+        );
+        DOMDocumentFactory::fromString($xml);
+    }
+
     /**
      * @group                    domdocument
      * @return void

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.540
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000