CVE-2025-54419

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Node-SAML versions 5.0.1 and below

Description Node-SAML improperly loads the assertion from the unsigned original response document, differing from the parts verified during signature checking. This allows modification of authentication details within a valid SAML assertion. An attacker could, for example, remove characters from the username within the SAML assertion. Exploitation requires a validly signed document from the identity provider (IdP).

Recommendations Update to version 5.1.0 or later.

Exploit

Fix

Improper Authentication

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-347

Related Identifiers

CVE-2025-54419

GHSA-4MXG-3P6V-XGQ3

Affected Products

Node-Saml

CVE-2025-54419

Weakness Enumeration

Related Identifiers

Affected Products

References · 16