PUBLISHED DATE: May 6, 2025CVE-2025-46572:
passport-wsfed-saml2 provides passport strategy...

Description

passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.

Questions to Ask Vendors

1. Can you confirm whether your systems are affected by CVE-2025-46572, and if so, what steps are you currently taking to mitigate this vulnerability?
2. What is your estimated timeline for fully resolving CVE-2025-46572 in your products or services, and how will you communicate updates on this issue to us as your customer?

Recommended Actions

• Check out the advisory links provided below.

References

• http://webappsec.pbworks.com/Insufficient-Authentication
• https://capec.mitre.org/data/definitions/114.html
• https://capec.mitre.org/data/definitions/115.html
• https://capec.mitre.org/data/definitions/151.html
• https://capec.mitre.org/data/definitions/194.html
• https://capec.mitre.org/data/definitions/22.html
• https://capec.mitre.org/data/definitions/57.html
• https://capec.mitre.org/data/definitions/593.html
• https://capec.mitre.org/data/definitions/633.html
• https://capec.mitre.org/data/definitions/650.html
• https://capec.mitre.org/data/definitions/94.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-46572