QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-46573

Back to search

CVE-2025-46573

Published: May 6, 2025

Modified: May 7, 2025

PUBLISHED

Description

passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.

VendorProductVersions

auth0

passport-wsfed-saml2

affected
>= 3.0.5, < 4.6.4

Weaknesses (CWE)

CWE-287

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now