Plataforma
nodejs
Componente
passport-wsfed-saml2
Corregido en
3.0.6
4.6.4
CVE-2025-46572 describes a critical authentication bypass vulnerability within the passport-wsfed-saml2 Node.js module. This flaw allows attackers to impersonate users by manipulating SAML responses, effectively bypassing authentication controls. The vulnerability affects versions 4.6.3 and earlier. A fix is available in version 4.6.4 and higher.
The impact of this vulnerability is severe. An attacker can leverage a valid, signed SAML document from the Identity Provider (IdP) to impersonate any user within the application. This grants them unauthorized access to sensitive data, resources, and functionalities. Successful exploitation could lead to complete account takeover and potential compromise of the entire system. The ability to bypass authentication significantly expands the attack surface and increases the risk of data breaches and malicious activity. This vulnerability is particularly concerning given the widespread use of SAML for single sign-on (SSO) in enterprise environments.
This vulnerability was publicly disclosed on 2025-05-06. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No Proof of Concept (PoC) code has been publicly released as of this writing. The vulnerability has not been added to the CISA KEV catalog.
Organizations and applications utilizing Node.js and the passport-wsfed-saml2 module for SAML-based authentication are at risk. This includes businesses relying on single sign-on (SSO) solutions and those integrating with external identity providers. Legacy systems or environments with outdated dependencies are particularly vulnerable.
• nodejs / server:
npm list passport-wsfed-saml2Check the installed version. If it's <= 4.6.3, the system is vulnerable. • nodejs / server:
npm audit passport-wsfed-saml2This command will identify the vulnerability and suggest an upgrade. • generic web: Review SAML request logs for unusual or unexpected parameters. Look for requests with invalid signatures or unexpected issuers.
disclosure
Estado del Exploit
EPSS
0.30% (53% percentil)
CISA SSVC
The primary mitigation for CVE-2025-46572 is to immediately upgrade the passport-wsfed-saml2 module to version 4.6.4 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, stricter SAML validation on the service provider side, including verifying the issuer and signature, can provide a limited layer of defense. Monitor SAML traffic for suspicious patterns and consider implementing Web Application Firewall (WAF) rules to block malformed SAML requests. After upgrading, confirm the fix by attempting to authenticate with a crafted SAML response and verifying that authentication fails.
Actualice la biblioteca passport-wsfed-saml2 a la versión 4.6.4 o superior. Esto corrige la vulnerabilidad de omisión de autenticación SAML mediante la manipulación de firmas. Ejecute `npm install passport-wsfed-saml2@latest` o `yarn add passport-wsfed-saml2@latest` para actualizar.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-46572 is a critical vulnerability in the passport-wsfed-saml2 Node.js module allowing attackers to impersonate users via crafted SAML responses, bypassing authentication.
You are affected if you are using passport-wsfed-saml2 version 4.6.3 or below and your service provider uses a valid SAML document signed by the Identity Provider.
Upgrade to version 4.6.4 or greater. Consider temporary workarounds like stricter SAML validation if an immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's severity warrants immediate action.
Refer to the project's repository or associated security advisories for the most up-to-date information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.