CVE-2025-54369

24.07.2025, 23:15

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GitHub_M	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Common Weakness Enumeration

CWE-87 - Improper Neutralization of Alternate XSS Syntax
The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

References

https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10

https://github.com/node-saml/node-saml/releases/tag/v5.1.0

https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7