GSA_kwCzR0hTQS1tODM3LWcyNjgtbW12N84ABKey

Critical CVSS: 9.3

Permalink JSON

Node-SAML SAML Authentication Bypass

Affected Packages	Affected Versions	Fixed Versions
npm:@node-saml/node-saml	<= 5.0.1	5.1.0
14 Dependent packages 85 Dependent repositories 920,673 Downloads last month Affected Version Ranges All affected versions 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0, 5.0.1 All unaffected versions 5.1.0
npm:node-saml	<= 3.1.2	No known fixed version
4 Dependent packages 12 Dependent repositories 6,710 Downloads last month Affected Version Ranges All affected versions 1.0.0, 1.1.0, 2.0.0, 2.1.0, 2.1.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2

Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature.

This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.

To conduct the attack an attacker would need a validly signed document from the identity provider (IdP).

In fixing this we upgraded xml-crypto to v6.1.2 and made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.

References:

Identifiers

GHSA-m837-g268-mmv7

CVE-2025-54369

Risk

Severity

Critical

CVSS

CVSS Score: 9.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/node-saml/node-saml

Date and time

Published

4 days ago

Updated

4 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories