CVE-2025-46573: Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling

May 6, 2025 (updated May 7, 2025)

Overview

This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response.

Am I Affected?

You are affected by this SAML Attribute Smuggling vulnerability if you are using passport-wsfed-saml2 version 4.6.3 or below, specifically under the following conditions:

The service provider is using passport-wsfed-saml2,
A valid SAML Response signed by the Identity Provider can be obtained

Fix

Upgrade to v4.6.4 or greater.

References

github.com/advisories/GHSA-8gqj-226h-gm8r
github.com/auth0/passport-wsfed-saml2
github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181
github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r
nvd.nist.gov/vuln/detail/CVE-2025-46573

Code Behaviors & Features

Detect and mitigate CVE-2025-46573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →