High severity8.1NVD Advisory· Published Dec 27, 2017· Updated May 13, 2026
CVE-2017-16897
CVE-2017-16897
Description
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passport-wsfed-saml2npm | < 3.0.5 | 3.0.5 |
Affected products
1Patches
1520b9fc0bb42removed SECURITY-NOTICE file (#186)
1 file changed · +0 −47
SECURITY-NOTICE.md+0 −47 removed@@ -1,47 +0,0 @@ -Security vulnerability details for passport-wsfed-saml2 < 3.0.10 -=============================================================== - -A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the proper location inside an "Assertion" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while -maintaining the signature valid. This could allow an authenticated attacker to "remove" one group from his assertion or corrupt another field of an assertion. - -Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below: - -``` -{ - "dependencies": { - "passport-wsfed-saml2": "^3.0.10" - } -} -``` - -## Upgrade Notes - -This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions. - -You can read more details regarding the vulnerability [here](https://auth0.com/docs/security/bulletins/cve-2018-8085). - - - -Security vulnerability details for passport-wsfed-saml2 < 3.0.5 -=============================================================== - -A vulnerability has been discovered in the passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider: - -* signs SAML response and signs assertion -* does not sign SAML response and signs assertion - -Developers using the passport-wsfed-saml2 Passport Strategy need to upgrade to the latest version: 3.0.5. - -Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below: - -``` -{ - "dependencies": { - "passport-wsfed-saml2": "^3.0.5" - } -} -``` - -## Upgrade Notes - -This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- auth0.com/docs/security/bulletins/cve-2017-16897nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-77fw-rf4v-vfp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16897ghsaADVISORY
- github.com/auth0/passport-wsfed-saml2/commit/520b9fc0bb4249ce83bec47e30153419f086ab70ghsaWEB
- github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-77fw-rf4v-vfp9ghsaWEB
News mentions
0No linked articles in our index yet.