CVE-2025-47148

Published: Oct 15, 2025Modified: Oct 21, 2025

7.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: f5sirt@f5.com (Secondary)

Description

When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected (8)

Products: F5: Big Ip Access Policy Manager, Big Ip Ssl Orchestrator

2 products

Big Ip Access Policy Manager

Big Ip Ssl Orchestrator

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Access Policy Manager	From 15.1.0 to 15.1.10.8
F5 Big Ip Access Policy Manager	From 16.1.0 to 16.1.6.1
F5 Big Ip Access Policy Manager	From 17.1.0 to 17.1.3
F5 Big Ip Access Policy Manager	Version 17.5.0
F5 Big Ip Ssl Orchestrator	From 15.1.0 to 15.1.10.8
F5 Big Ip Ssl Orchestrator	From 16.1.0 to 16.1.6.1
F5 Big Ip Ssl Orchestrator	From 17.1.0 to 17.1.3
F5 Big Ip Ssl Orchestrator	Version 17.5.0

Related CWEs

CWE-404

Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

References (1)

https://my.f5.com/manage/s/article/K000148816

Source: f5sirt@f5.com

Vendor Advisory

Timeline

No history available yet.