Introduction
Attackers can manipulate SAML authentication details in Node.js applications using Node-SAML, potentially granting themselves unauthorized access to any account. This vulnerability affects a foundational authentication mechanism for many enterprise and cloud applications, making it a high-priority issue for security teams.
Node-SAML is a widely used open source library that implements SAML 2.0 authentication for Node.js applications. It is maintained by the Node-SAML organization, which also oversees related projects like passport-saml and xml-crypto. Node-SAML is a core component for SAML-based single sign-on in many production environments, and its security directly impacts the integrity of authentication across a broad range of applications.
Technical Information
Node-SAML versions 5.0.1 and below are vulnerable to a critical authentication bypass due to how the library processes SAML assertions. After verifying the digital signature on a SAML response, Node-SAML loads the assertion data from the original, unsigned XML document rather than from the cryptographically validated content. This architectural flaw allows an attacker to modify authentication attributes (such as the username) in the SAML assertion without invalidating the signature check.
The attack requires the attacker to obtain a validly signed SAML response from the identity provider (IdP). This can be achieved by intercepting legitimate authentication flows or by using their own valid credentials. The attacker then modifies the assertion in the unsigned portion of the response (for example, removing or changing characters in the username field) and submits the tampered response to the service provider. Because Node-SAML extracts assertion data from the untrusted XML, the service provider accepts the manipulated authentication details as valid, resulting in a complete authentication bypass.
The root cause is the separation between signature verification and assertion parsing. The xml-crypto dependency (versions prior to 6.1.2) used by Node-SAML contributed to this issue by not ensuring that only verified content was processed. Node-SAML version 5.1.0 addresses the vulnerability by updating xml-crypto and ensuring that assertion parsing is performed only on verified content.
Affected Systems and Versions
- Node-SAML versions 5.0.1 and below are affected
- Any Node.js application using Node-SAML directly or as a dependency (for example, via passport-saml) is vulnerable
- The vulnerability is present regardless of SAML configuration, as it is rooted in how assertion data is loaded after signature verification
Vendor Security History
Node-SAML and its dependencies have experienced several critical vulnerabilities in 2025, including:
- CVE-2025-54369: Similar authentication bypass in Node-SAML
- CVE-2025-29774 and CVE-2025-29775: XML signature handling flaws in xml-crypto
The Node-SAML maintainers have responded rapidly to these issues, releasing patches and advisories. However, the frequency of vulnerabilities highlights persistent security challenges in SAML implementations for Node.js.
