npm package
@node-saml/node-saml
pkg:npm/%40node-saml/node-saml
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54419 | Cri | 10.0 | < 5.1.0 | 5.1.0 | Jul 28, 2025 | A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authenti | |
| CVE-2025-54369 | Cri | — | < 5.1.0 | 5.1.0 | Jul 24, 2025 | Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an att | |
| CVE-2023-40178 | — | < 4.0.5 | 4.0.5 | Aug 23, 2023 | Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logg | ||
| CVE-2022-39299 | — | < 4.0.0-beta.5 | 4.0.0-beta.5 | Oct 12, 2022 | Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP |
- affected < 5.1.0fixed 5.1.0
A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authenti
- affected < 5.1.0fixed 5.1.0
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an att
- CVE-2023-40178Aug 23, 2023affected < 4.0.5fixed 4.0.5
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logg
- CVE-2022-39299Oct 12, 2022affected < 4.0.0-beta.5fixed 4.0.0-beta.5
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP