Primary

Context

passport-wsfed-saml2 SAML Attribute Smuggling Vulnerability Allowing User Impersonation

Vulnerability

Patched

A vulnerability in passport-wsfed-saml2, present in versions 3.0.5 prior to 4.6.3, allows attackers to impersonate users during SAML authentication by modifying a valid SAML response. This exploitation involves adding attributes to the response. Users are specifically affected when their service provider utilizes passport-wsfed-saml2 and a valid, signed SAML response from the Identity Provider is accessible.

Impact

Exploitation of this vulnerability allows for unauthorized user impersonation during SAML authentication, potentially leading to unauthorized access or actions on behalf of the impersonated user.

Remediation

Users can upgrade to version 4.6.4 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

passport-wsfed-saml2 SAML Attribute Smuggling Vulnerability Allowing User Impersonation

Vulnerability

Impact

Remediation

Affected Products

auth0/passport-wsfed-saml2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating