CVE-2025-54369

Vulnerability Description

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0.

Related Weaknesses (CWE)

References

• https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c1773
• https://github.com/node-saml/node-saml/releases/tag/v5.1.0
• https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7

FAQ

What is CVE-2025-54369?

CVE-2025-54369 is a documented vulnerability. Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is differ...

How severe is CVE-2025-54369?

CVSS scoring is not yet available for CVE-2025-54369. Check NVD for updates.

Is there a patch for CVE-2025-54369?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.