CVE-2025-46572 Overview
CVE-2025-46572 is a critical authentication bypass vulnerability in passport-wsfed-saml2, a passport strategy library providing support for both WS-fed and SAML2 protocols. This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a malicious SAMLResponse. The attack is possible when using a valid SAML object that was signed by the configured Identity Provider (IdP).
Critical Impact
Attackers can fully impersonate any user by crafting a SAMLResponse using a legitimately signed SAML document from the configured IdP, leading to complete authentication bypass and unauthorized account access.
Affected Products
- passport-wsfed-saml2 versions 3.0.5 through 4.6.3
- Applications using passport-wsfed-saml2 for SAML authentication
- Service providers where a valid signed SAML document from the IdP can be obtained
Discovery Timeline
- 2025-05-06 - CVE-2025-46572 published to NVD
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2025-46572
Vulnerability Analysis
This vulnerability falls under CWE-287 (Improper Authentication) and represents a severe flaw in how passport-wsfed-saml2 validates SAML responses. The authentication bypass occurs when an attacker can obtain any valid SAML document that was legitimately signed by the configured Identity Provider. Using this signed document, the attacker can craft a SAMLResponse that allows them to impersonate any user in the system.
The vulnerability affects service providers that rely on passport-wsfed-saml2 for federated authentication. The attack requires network access and does not require any prior authentication or user interaction, making it highly exploitable in environments where SAML documents may be intercepted or obtained.
Root Cause
The root cause stems from insufficient validation of SAML response content after signature verification. While the library correctly validates that the SAML document is signed by the trusted IdP, it fails to properly verify that the signed content corresponds to the actual authentication request context. This allows attackers to replay or manipulate signed SAML assertions to authenticate as arbitrary users.
Attack Vector
The attack is conducted over the network without requiring authentication or user interaction. An attacker needs to:
- Obtain a valid SAML document that was signed by the configured Identity Provider
- Craft a malicious SAMLResponse using the signed document
- Submit the crafted response to the service provider
- Gain authenticated access as any user in the system
The vulnerability allows both confidentiality and integrity breaches by enabling complete user impersonation, though availability is not directly impacted.
The security patch addresses this vulnerability by implementing stricter validation of SAML responses. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2025-46572
Indicators of Compromise
- Unusual SAML authentication patterns, such as multiple users authenticating from the same session or IP address
- SAMLResponse payloads that appear valid but contain inconsistent user identifiers
- Authentication logs showing successful logins for users who report not initiating those sessions
- Sudden increase in authentication requests using previously captured SAML documents
Detection Strategies
- Monitor SAML authentication logs for replay attacks or suspicious response patterns
- Implement anomaly detection for authentication events that deviate from user behavior baselines
- Audit application dependencies to identify vulnerable versions of passport-wsfed-saml2 (versions 3.0.5 through 4.6.3)
- Deploy web application firewalls (WAF) with rules to detect malformed or suspicious SAML responses
Monitoring Recommendations
- Enable detailed logging for all SAML authentication flows including full request and response metadata
- Set up alerts for authentication events from users who are already authenticated in different sessions
- Implement session monitoring to detect concurrent sessions that may indicate account compromise
- Review Identity Provider logs for unusual document signing patterns or bulk document requests
How to Mitigate CVE-2025-46572
Immediate Actions Required
- Upgrade passport-wsfed-saml2 to version 4.6.4 or later immediately
- Audit authentication logs for any signs of exploitation prior to patching
- Review user sessions and consider invalidating all active sessions after upgrade
- Notify security teams and begin incident response procedures if exploitation is suspected
Patch Information
Auth0 has released version 4.6.4 of passport-wsfed-saml2 which contains a fix for this vulnerability. The patch is available through the standard npm package distribution channel. Organizations should update their dependencies immediately.
For patch details, see the GitHub commit.
Workarounds
- If immediate upgrade is not possible, consider temporarily disabling SAML authentication and using alternative authentication methods
- Implement additional application-layer validation of SAML assertions before granting access
- Restrict network access to SAML endpoints to known, trusted IP ranges where feasible
- Enable additional logging and monitoring to detect potential exploitation attempts while awaiting patch deployment
# Update passport-wsfed-saml2 to patched version
npm update passport-wsfed-saml2@4.6.4
# Verify installed version
npm list passport-wsfed-saml2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
