CVE-2025-46572: Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping

May 6, 2025

Overview

This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP.

Am I Affected?

You are affected by this SAML Signature Wrapping vulnerability if you are using passport-wsfed-saml2 version 4.6.3 or below, specifically under the following conditions:

The service provider is using passport-wsfed-saml2,
A valid SAML document signed by the Identity Provider can be obtained.

Fix

Upgrade to v4.6.4 or greater.

References

github.com/advisories/GHSA-wjmp-wphq-jvqf
github.com/auth0/passport-wsfed-saml2
github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181
github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-wjmp-wphq-jvqf
nvd.nist.gov/vuln/detail/CVE-2025-46572

Code Behaviors & Features

Detect and mitigate CVE-2025-46572 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →