Platform
nodejs
Component
passport-wsfed-saml2
Fixed in
3.0.6
4.6.4
CVE-2025-46572 describes a critical authentication bypass vulnerability within the passport-wsfed-saml2 Node.js module. This flaw allows attackers to impersonate users by manipulating SAML responses, effectively bypassing authentication controls. The vulnerability affects versions 4.6.3 and earlier. A fix is available in version 4.6.4 and higher.
The impact of this vulnerability is severe. An attacker can leverage a valid, signed SAML document from the Identity Provider (IdP) to impersonate any user within the application. This grants them unauthorized access to sensitive data, resources, and functionalities. Successful exploitation could lead to complete account takeover and potential compromise of the entire system. The ability to bypass authentication significantly expands the attack surface and increases the risk of data breaches and malicious activity. This vulnerability is particularly concerning given the widespread use of SAML for single sign-on (SSO) in enterprise environments.
This vulnerability was publicly disclosed on 2025-05-06. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No Proof of Concept (PoC) code has been publicly released as of this writing. The vulnerability has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
The primary mitigation for CVE-2025-46572 is to immediately upgrade the passport-wsfed-saml2 module to version 4.6.4 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, stricter SAML validation on the service provider side, including verifying the issuer and signature, can provide a limited layer of defense. Monitor SAML traffic for suspicious patterns and consider implementing Web Application Firewall (WAF) rules to block malformed SAML requests. After upgrading, confirm the fix by attempting to authenticate with a crafted SAML response and verifying that authentication fails.
Update the passport-wsfed-saml2 library to version 4.6.4 or greater. This fixes the SAML authentication bypass vulnerability via signature manipulation. Run `npm install passport-wsfed-saml2@latest` or `yarn add passport-wsfed-saml2@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46572 is a critical vulnerability in the passport-wsfed-saml2 Node.js module allowing attackers to impersonate users via crafted SAML responses, bypassing authentication.
You are affected if you are using passport-wsfed-saml2 version 4.6.3 or below and your service provider uses a valid SAML document signed by the Identity Provider.
Upgrade to version 4.6.4 or greater. Consider temporary workarounds like stricter SAML validation if an immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's severity warrants immediate action.
Refer to the project's repository or associated security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.