An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01cDh3LTJtdnctMzhwds4AAvTF

Signature bypass via multiple root elements


A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.


Users should upgrade to node-saml v4.0.0-beta5 or newer.


Disable SAML authentication.


Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:


Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-5p8w-2mvw-38pv, CVE-2022-39300
References: Repository:
Blast Radius: 8.7

Affected Packages

Dependent packages: 4
Dependent repositories: 12
Downloads: 6,710 last month
Affected Version Ranges: < 4.0.0-beta.5
Fixed in: 4.0.0-beta.5
All affected versions: 1.0.0, 1.1.0, 2.0.0, 2.1.0, 2.1.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 4.0.0-beta.0, 4.0.0-beta.1, 4.0.0-beta.2
All unaffected versions: