Critical severityOSV Advisory· Published May 6, 2025· Updated Apr 15, 2026
CVE-2025-46572
CVE-2025-46572
Description
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passport-wsfed-saml2npm | >= 3.0.5, < 4.6.4 | 4.6.4 |
Affected products
2- Range: v3.0.10, v3.0.11, v3.0.12, …
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.