CVE-2025-46573

Name of the Vulnerable Software and Affected Versions passport-wsfed-saml2 versions 3.0.5 through 4.6.3

Description A vulnerability in passport-wsfed-saml2 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected when the service provider is using passport-wsfed-saml2 and a valid SAML Response signed by the Identity Provider can be obtained.

Recommendations For versions 3.0.5 through 4.6.3, update to version 4.6.4 to resolve the issue. As a temporary workaround, consider restricting the use of the SAML authentication feature until the update is applied. Avoid using the passport-wsfed-saml2 strategy for SAML2 protocol until the issue is resolved.