SecuriTricks - CVE-2025-54419

Description

A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.

Product(s) Impacted

Vendor	Product	Versions
Node-saml	Node-saml	5.0.1, <5.1.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	node-saml	node-saml	5.0.1	/	/	/	/	/	/	/
a	node-saml	node-saml	<5.1.0	/	/	/	/	/	/	/

References

https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10

https://github.com/node-saml/node-saml/releases/tag/v5.1.0

https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3

CVSS Score

10.0 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

View Vector String

Timeline

Published: July 28, 2025, 8:17 p.m.
Last Modified: July 29, 2025, 2:14 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-54419