CVE-2025-47148

When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

The product does not release or incorrectly releases a resource before it is made available for re-use.

Affected Software

Name	Vendor	Start Version	End Version
Big-ip_access_policy_manager	F5	15.1.0 (including)	15.1.10.8 (excluding)
Big-ip_access_policy_manager	F5	16.1.0 (including)	16.1.6.1 (excluding)
Big-ip_access_policy_manager	F5	17.1.0 (including)	17.1.3 (excluding)
Big-ip_access_policy_manager	F5	17.5.0 (including)	17.5.0 (including)
Big-ip_ssl_orchestrator	F5	15.1.0 (including)	15.1.10.8 (excluding)
Big-ip_ssl_orchestrator	F5	16.1.0 (including)	16.1.6.1 (excluding)
Big-ip_ssl_orchestrator	F5	17.1.0 (including)	17.1.3 (excluding)
Big-ip_ssl_orchestrator	F5	17.5.0 (including)	17.5.0 (including)

Potential Mitigations

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.

References

https://my.f5.com/manage/s/article/K000148816

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-47148
CWE	https://cwe.mitre.org/data/definitions/404.html

Improper Resource Shutdown or Release

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References