Moderate severityNVD Advisory· Published Aug 27, 2021· Updated Aug 4, 2024
Unlimited transforms allowed for signed nodes
CVE-2021-39171
Description
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Prior to version 3.1.0, a malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service. This would be an effective way to perform a denial-of-service attack. This has been resolved in version 3.1.0. The resolution is to limit the number of allowable transforms to 2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passport-samlnpm | < 3.1.0 | 3.1.0 |
Affected products
2- Range: < 3.1.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5379-r78w-42h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39171ghsaADVISORY
- github.com/node-saml/passport-saml/commit/f1e00b64c21a725f545e675cd810bbaa435a3972ghsaWEB
- github.com/node-saml/passport-saml/pull/595ghsax_refsource_MISCWEB
- github.com/node-saml/passport-saml/security/advisories/GHSA-5379-r78w-42h2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.