VYPR
High severityOSV Advisory· Published May 6, 2025· Updated Jun 17, 2026

CVE-2025-46573

CVE-2025-46573

Description

passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
passport-wsfed-saml2npm
>= 3.0.5, < 4.6.44.6.4

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.