CVE-2023-40178

Name of the Vulnerable Software and Affected Versions Node-SAML versions prior to 4.0.5

Description The lack of checking of the current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.

Recommendations For versions prior to 4.0.5, update to version 4.0.5 to resolve the issue. As a temporary workaround, consider implementing additional timestamp validation for LogoutRequest XML to prevent reuse of expired requests. Restrict access to the validatePostRequestAsync() function in saml.js to minimize the risk of exploitation. Avoid using the NotOnOrAfter parameter in the affected API endpoint until the issue is resolved.