Node-SAML SAML Signature Verification Vulnerability Allowing Assertion Modification

A vulnerability exists in the Node-SAML library, specifically in version 5.0.1, where the library improperly handles SAML assertions by loading them from the original, unsigned response document. This behavior differs from the signature verification process, creating an opportunity for attackers to alter authentication details within a valid SAML assertion. For instance, an attacker could remove characters from the username in the assertion. To exploit this vulnerability, an attacker must possess a validly signed document from the identity provider (IdP). This issue has been addressed in version 5.1.0 of the library.

Impact

Exploitation of this vulnerability allows for unauthorized modification of SAML assertion details, such as altering the username by removing characters, which could lead to unauthorized access or actions based on the modified assertion.

Reproduction

The vulnerability can be reproduced by sending a SAML response that is validly signed but includes an unsigned assertion. The Node-SAML library version 5.0.1 will load the assertion from the unsigned response, allowing an attacker to modify details such as the username before the assertion is processed.

Remediation

Users can upgrade to Node-SAML version 5.1.0 to address this vulnerability.