Описание
A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.
A signature verification flaw was found in the npm @node-saml/node-saml library. This flaw allows an attacker who has access to a validly signed document from the identity provider (IdP) to alter the content of the document, modify the details within the document, and have the modifications be accepted.
Отчет
This is a Important impact authn-bypass, not a Moderate bug, because it breaks the core trust boundary of SAML: the service provider (SP) makes authorization decisions based on an assertion it believes is protected by the IdP’s XML signature. In @node-saml/node-saml ≤5.0.1, the library verifies the signature over one part of the response but then parses/uses fields from the original, unsigned document, a classic signature-wrapping/mismatch flaw. An attacker who possesses any validly signed SAML response (e.g., their own login, a captured response, or one from a lower-privileged account) can alter critical elements—such as the Subject/NameID (e.g., drop a character to map to a different user), group/role attributes, AuthnContext, or Conditions—without invalidating the signature, and the SP will accept the modified values. That enables account takeover, privilege escalation, MFA/step-up bypass (via AuthnContext changes), and policy circumvention across every SP relying on this library. The only prerequisite is access to a single signed response; no IdP compromise is required.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh/rhdh-rhel9-operator | Not affected | ||
| Red Hat Developer Hub 1.7 | registry.redhat.io/rhdh/rhdh-hub-rhel9 | Fixed | RHSA-2025:14090 | 19.08.2025 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.
Node-SAML SAML Signature Verification Vulnerability
EPSS
7.4 High
CVSS3