CVE-2020-5261

Name: CVE-2020-5261
Creator: NVD / NIST
Published: 2020-03-25T02:15:11.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.8/10EPSS 1.20%

Last modified Jun 17, 2026

CVE-2020-5261 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection. Token Replay Detection is an important defence in depth measure for Single Sign On solutions. EPSS estimates a 1.20% chance of exploitation in the next 30 days.

Description

Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection. Token Replay Detection is an important defence in depth measure for Single Sign On solutions. The 2.5.0 version is patched. Note that version 1.0.1 is not affected. It has a correct Token Replay Implementation and is safe to use. Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 have a faulty implementation of Token Replay Detection. Token Replay Detection is an important defense measure for Single Sign On solutions. The 2.5.0 version is patched. Note that version 1.0.1 and prior versions are not affected. These versions have a correct Token Replay Implementation and are safe to use.

Metrics

CVSS 3.1

6.8/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

1.20%

64.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Sustainsys	Saml2	>= 2.0.0, < 2.5.0

References

https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241Patch, Third Party Advisory
https://github.com/Sustainsys/Saml2/issues/711Issue Tracking, Third Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-g6j2-ch25-5mmvThird Party Advisory
https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241Patch, Third Party Advisory
https://github.com/Sustainsys/Saml2/issues/711Issue Tracking, Third Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-g6j2-ch25-5mmvThird Party Advisory

Timeline

Published: Mar 25, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-5261?

How severe is CVE-2020-5261?

CVE-2020-5261 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 1.20% probability of exploitation in the next 30 days.

How do I fix CVE-2020-5261?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-5261?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST