Critical SAML Authentication Flaw Exposed: Node-SAML Library Vulnerability Allows Attacker to Modify User Credentials

A critical security vulnerability in the widely-used Node-SAML library allows attackers to bypass signature verification and directly modify authentication details within a valid SAML assertion. The flaw, tracked as CVE-2025-54419, stems from the library's method of loading the assertion from the original, unsigned response document, rather than the verified parts. This creates a dangerous mismatch between what is checked and what is ultimately processed, opening a direct path for credential manipulation.

The vulnerability resides in the `@node-saml/passport-saml` package, a core component for implementing SAML-based single sign-on (SSO) in Node.js applications. The issue is not in the signature validation itself but in the subsequent step where the system loads user authentication data from an unverified source. An attacker could exploit this by crafting a malicious SAML response where the signed portion remains valid, but the unsigned assertion payload contains altered user identifiers, roles, or other sensitive attributes. This could lead to unauthorized access, privilege escalation, or identity impersonation within any application relying on this library for authentication.

The maintainers have released version 5.1.0 to address the flaw, prompting automated dependency updates via tools like RenovateBot. The fix requires developers to upgrade from version 4.0.4 or earlier. The severity of the vulnerability places immediate pressure on thousands of enterprise and cloud applications to patch, as SAML is a foundational protocol for corporate and institutional identity management. Failure to update exposes organizations to significant authentication bypass risks, potentially compromising internal systems and user data.