SAML Authentication Vulnerability in Auth0's Passport Strategy for WS-fed and SAML2
CVE-2025-46572

9.3CRITICAL

Key Information:

Vendor: Auth0
Status: Passport-wsfed-saml2
Vendor: CVE Published:; 6 May 2025

What is CVE-2025-46572?

A vulnerability in Auth0's passport-wsfed-saml2 strategy allows attackers to impersonate any user in the Auth0 tenant during SAML authentication. This occurs when a malformed SAMLResponse is crafted, leveraging a legitimate SAML object signed by the configured Identity Provider (IdP). The issue affects users relying on passport-wsfed-saml2 when a valid signed SAML document is compromised. It is crucial to update to version 4.6.4 or later to mitigate this risk.

Affected Version(s)

passport-wsfed-saml2 >= 3.0.5, < 4.6.4

References

https://github.com/auth0/passport-wsfed-saml2/security/ad...

x_refsource_CONFIRM

https://github.com/auth0/passport-wsfed-saml2/commit/e5cf...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2025
Vulnerability Reserved
Apr 24, 2025

CVE-2025-46572 Data

JSON