Passport-wsfed-saml2 हस्ताक्षर रैपिंग के माध्यम से SAML प्रमाणीकरण बाईपास की अनुमति देता है
प्लेटफ़ॉर्म
nodejs
घटक
passport-wsfed-saml2
में ठीक किया गया
3.0.6
4.6.4
CVE-2025-46572 describes a critical authentication bypass vulnerability within the passport-wsfed-saml2 Node.js module. This flaw allows attackers to impersonate users by manipulating SAML responses, effectively bypassing authentication controls. The vulnerability affects versions 4.6.3 and earlier. A fix is available in version 4.6.4 and higher.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The impact of this vulnerability is severe. An attacker can leverage a valid, signed SAML document from the Identity Provider (IdP) to impersonate any user within the application. This grants them unauthorized access to sensitive data, resources, and functionalities. Successful exploitation could lead to complete account takeover and potential compromise of the entire system. The ability to bypass authentication significantly expands the attack surface and increases the risk of data breaches and malicious activity. This vulnerability is particularly concerning given the widespread use of SAML for single sign-on (SSO) in enterprise environments.
शोषण संदर्भअनुवाद हो रहा है…
This vulnerability was publicly disclosed on 2025-05-06. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No Proof of Concept (PoC) code has been publicly released as of this writing. The vulnerability has not been added to the CISA KEV catalog.
कौन जोखिम में हैअनुवाद हो रहा है…
Organizations and applications utilizing Node.js and the passport-wsfed-saml2 module for SAML-based authentication are at risk. This includes businesses relying on single sign-on (SSO) solutions and those integrating with external identity providers. Legacy systems or environments with outdated dependencies are particularly vulnerable.
पहचान के चरणअनुवाद हो रहा है…
• nodejs / server:
npm list passport-wsfed-saml2Check the installed version. If it's <= 4.6.3, the system is vulnerable. • nodejs / server:
npm audit passport-wsfed-saml2This command will identify the vulnerability and suggest an upgrade. • generic web: Review SAML request logs for unusual or unexpected parameters. Look for requests with invalid signatures or unexpected issuers.
हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.30% (53% शतमक)
CISA SSVC
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2025-46572 is to immediately upgrade the passport-wsfed-saml2 module to version 4.6.4 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, stricter SAML validation on the service provider side, including verifying the issuer and signature, can provide a limited layer of defense. Monitor SAML traffic for suspicious patterns and consider implementing Web Application Firewall (WAF) rules to block malformed SAML requests. After upgrading, confirm the fix by attempting to authenticate with a crafted SAML response and verifying that authentication fails.
कैसे ठीक करें
passport-wsfed-saml2 लाइब्रेरी को संस्करण 4.6.4 या उससे ऊपर के संस्करण में अपडेट करें। यह हस्ताक्षर हेरफेर के माध्यम से SAML प्रमाणीकरण बाईपास भेद्यता को ठीक करता है। `npm install passport-wsfed-saml2@latest` या `yarn add passport-wsfed-saml2@latest` चलाकर अपडेट करें।
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-46572 — Authentication Bypass in passport-wsfed-saml2?
CVE-2025-46572 is a critical vulnerability in the passport-wsfed-saml2 Node.js module allowing attackers to impersonate users via crafted SAML responses, bypassing authentication.
Am I affected by CVE-2025-46572 in passport-wsfed-saml2?
You are affected if you are using passport-wsfed-saml2 version 4.6.3 or below and your service provider uses a valid SAML document signed by the Identity Provider.
How do I fix CVE-2025-46572 in passport-wsfed-saml2?
Upgrade to version 4.6.4 or greater. Consider temporary workarounds like stricter SAML validation if an immediate upgrade is not possible.
Is CVE-2025-46572 being actively exploited?
There is currently no indication of active exploitation in the wild, but the vulnerability's severity warrants immediate action.
Where can I find the official passport-wsfed-saml2 advisory for CVE-2025-46572?
Refer to the project's repository or associated security advisories for the most up-to-date information.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।