SAML Authentication Vulnerability in Passport-WSFED-SAML2 by Auth0
CVE-2025-46573

8.6HIGH

Key Information:

Vendor: Auth0
Status: Passport-wsfed-saml2
Vendor: CVE Published:; 6 May 2025

What is CVE-2025-46573?

A vulnerability in the passport-wsfed-saml2 package allows attackers to impersonate any user during SAML authentication. This occurs when an attacker manipulates a valid SAML response by adding unauthorized attributes. If the service provider employs passport-wsfed-saml2 and a valid SAML response is available from the Identity Provider, users are at risk. The issue persists from version 3.0.5 up to and including version 4.6.3, with version 4.6.4 issued as a remedy.

Affected Version(s)

passport-wsfed-saml2 >= 3.0.5, < 4.6.4

References

https://github.com/auth0/passport-wsfed-saml2/security/ad...

x_refsource_CONFIRM

https://github.com/auth0/passport-wsfed-saml2/commit/e5cf...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2025
Vulnerability Reserved
Apr 24, 2025

CVE-2025-46573 Data

JSON