{"id":3291,"date":"2025-05-22T11:23:32","date_gmt":"2025-05-22T11:23:32","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3291"},"modified":"2025-05-22T11:23:32","modified_gmt":"2025-05-22T11:23:32","slug":"samlify-bug-lets-attackers-bypass-single-sign-on","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3291","title":{"rendered":"Samlify bug lets attackers bypass single sign-on"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A critical vulnerability in the popular samlify library could potentially allow attackers to bypass Single Sign-On (SSO) protections and gain unauthorized access to systems relying on SAML for authentication.<\/p>\n

Tracked as CVE-2025-47949, the flaw affecting the widely used Node.js library can allow a Signature Wrapping attack with maximum impact, for which it received a critical rating of CVSS 9.9 out of 10.<\/p>\n

\u201cThe vulnerability affecting samlify versions prior to 2.10.0 is a severe weakness classified under CWE-347: Improper Verification of Cryptographic Signature,\u201d EndorLabs said in a blog post. \u201cIt allows an attacker to forge SAML Responses, leading to complete authentication bypass and arbitrary user impersonation (including administrators).\u201d<\/p>\n

Samlify is a library designed to simplify the implementation of SAML<\/a> 2.0 for Single Sign-On (SSO<\/a>) and Single Log-Out (SLO) by providing a high-level API. It has over 200,000 weekly downloads on npm and has 62 dependent packages that integrate to it.<\/p>\n

Exploiting weak XML signature validation<\/h2>\n

SAML depends on XML signatures to verify who is who in the authentication handshake between identity providers (IdP) and service providers (SP). But when an SAML parser isn\u2019t strict about what it checks, attackers can take advantage. That\u2019s what happens in a Signature Wrapping attack.<\/p>\n

The attack begins with obtaining a valid XML document signed by the identity provider, possibly by intercepting a login session using a man-in-the-middle setup or just grabbing a signature from publicly available IdP metadata.<\/p>\n

The attackers then insert a second, fake assertion\u2013claiming to be an admin\u2013into the already obtained, signed XML snippet. Owing to lax parsing rules in samlify versions prior to 2.10.0, the service provider ends up processing the attacker\u2019s fake, unsigned identity along with the original signature.<\/p>\n

Endor Labs researchers warned that this flaw opens the door to SAML SSO bypass <\/a>and is easy to exploit as the \u201cattack complexity is low\u201d, \u201cno privileges are required\u201d, and \u201cno user interaction is needed\u201d. Additionally, the requirement for obtaining a signed XML was noted as \u201crealistic\u201d.<\/p>\n

<\/a>SAML authenticators should update to patched versions<\/h2>\n

The flaw has been addressed through patches in samlify versions 2.10.0 and later.<\/p>\n

Researchers have recommended that systems using SAML authentication must update to a fixed version and ensure \u201csecure SSO flows: implement HTTPS and avoid untrusted sources for SAML flows.\u201d<\/p>\n

SAML-powered SSO supports a range of use cases: enterprise applications, SaaS integrations with identity providers like Okta or Azure AD, federated identity<\/a> across organizations, and developer platforms needing secure user authentication. A full authentication bypass through this flaw could enable attackers to gain access to sensitive resources, private data, or privileged actions under the impersonated identity.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A critical vulnerability in the popular samlify library could potentially allow attackers to bypass Single Sign-On (SSO) protections and gain unauthorized access to systems relying on SAML for authentication. Tracked as CVE-2025-47949, the flaw affecting the widely used Node.js library can allow a Signature Wrapping attack with maximum impact, for which it received a critical […]<\/p>\n","protected":false},"author":0,"featured_media":3287,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3291"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3291"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3291\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3287"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}