Primary

Context

passport-wsfed-saml2 SAML Signature Wrapping Vulnerability Allowing User Impersonation

Vulnerability

Patched

A vulnerability in passport-wsfed-saml2, affecting versions 3.0.5 prior to 4.6.4, allows attackers to impersonate users during SAML authentication by crafting a SAMLResponse. This exploitation involves using a valid SAML object signed by the Identity Provider (IdP). Users are specifically vulnerable when their service provider employs passport-wsfed-saml2 and they can obtain a valid SAML document from the IdP.

Impact

Exploitation of this vulnerability allows for user impersonation during SAML authentication, potentially leading to unauthorized access or actions on behalf of the impersonated user.

Remediation

Users can upgrade to passport-wsfed-saml2 version 4.6.4 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

5.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

5.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

passport-wsfed-saml2 SAML Signature Wrapping Vulnerability Allowing User Impersonation

Vulnerability

Impact

Remediation

Affected Products

auth0/passport-wsfed-saml2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating