CVE-2025-54419 | A SAML library not dependent on any frameworks that runs in … | CVSS 10.0 CRITICAL

Description

A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.

Metadata

CVE ID: CVE-2025-54419
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-07-21 23:18 UTC
Published: 2025-07-28 19:47 UTC
Last updated: 2025-07-28 20:39 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: node-saml / node-saml
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
node-saml	node-saml	—	= 5.0.1

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-347	cna	CWE-347: Improper Verification of Cryptographic Signature

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

References (3)

https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3 https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3
https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10 https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10
https://github.com/node-saml/node-saml/releases/tag/v5.1.0 https://github.com/node-saml/node-saml/releases/tag/v5.1.0