CVE-2022-39300

Name of the Vulnerable Software and Affected Versions node-saml versions prior to 4.0.0-beta5

Description A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks might also be feasible if generation of a signed message can be triggered.

Recommendations For versions prior to 4.0.0-beta5, upgrade to node-saml version 4.0.0-beta5 or newer. As a temporary workaround, consider disabling SAML authentication until a patch is available.