Passport Wsfed Saml2
Approved changes feed: RSS · Atom
cpe:2.3:a:auth0:passport-wsfed-saml2:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Auth0 (bd827468-a826-51d4-9e05-912ec56b4756) |
|---|---|
| Product | Passport Wsfed Saml2 (3e1f1a14-7fdf-5512-a9e9-b0cd080bb26b) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/auth0/passport-wsfed-saml2 |
purl2cpe | 2026-06-01 10:16:14.521784 |
pkg:npm/passport-wsfed-saml2 |
purl2cpe | 2026-06-01 10:16:14.521788 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-46573 |
vulnerable | 2026-06-03 15:01:27.664954 |
passport-wsfed-saml2 Has SAML Authentication Bypass via Attribute Smuggling
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
Published: 2025-05-06T20:22:00.104Z
Updated: 2025-05-07T15:34:04.601Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-46572 |
vulnerable | 2026-06-03 15:01:27.664623 |
passport-wsfed-saml2 Has SAML Authentication Bypass via Signature Wrapping
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
Published: 2025-05-06T20:18:26.379Z
Updated: 2025-05-13T19:17:06.822Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23505 |
vulnerable | 2026-06-03 14:46:27.570098 |
Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication
MEDIUM (5.3)
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.
Published: 2022-12-13T07:04:23.487Z
Updated: 2025-04-23T16:28:35.321Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-16897 |
vulnerable | 2026-06-03 14:36:53.555790 |
Details available
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).
Published: 2017-12-23T21:00:00.000Z
Updated: 2024-08-05T20:35:21.320Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.