Critical Node-SAML Flaw (CVE-2025-54369) Exposes SAML 2.0 to Authentication Bypass

A critical vulnerability has been discovered in the popular open-source Node.js library Node-SAML, used to implement SAML 2.0 authentication workflows. Tracked as CVE-2025-54369 and scoring a CVSS v4 base score of 9.3, this flaw puts millions of users at risk by undermining the trust model of SAML authentication itself.

The vulnerability arises from how Node-SAML processes incoming SAML responses. While the library verifies signatures correctly, it then loads the assertion data from the original (unsigned) document, not the verified content.

“Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature,” the advisory explains.

This discrepancy allows an attacker to modify authentication details within a valid SAML assertion—effectively bypassing authentication controls while appearing legitimate.

One concrete example cited in the advisory is the ability for an attacker to remove or alter characters from the username field in a SAML assertion. In practice, this could lead to:

• Privilege escalation: Impersonating privileged accounts
• Account confusion: Triggering misrouting or policy mismatches
• Single sign-on bypasses: Skipping identity provider (IdP) checks

“In one attack it is possible to remove any character from the SAML assertion username,” researchers warned.

The vulnerability has been patched in Node-SAML version 5.1.0. The fix includes two critical changes:

• Upgrade of xml-crypto to version 6.1.2, which addresses internal XML signature handling bugs.
• Rewritten logic to ensure assertions are parsed only from verified/authenticated content, eliminating the dangerous gap between verification and processing.

“This will prevent future variants from coming up,” the development team noted.

Related Posts:

• Researchers Detail Ruby-SAML/GitLab Flaw (CVE-2024-45409) Allows SAML Authentication Bypass
• Security Alert: Squid Proxy’s Unresolved Vulnerabilities
• Security Boost: Apple Strengthens Gatekeeper Protections in macOS Sequoia
• CVE-2024-7344: Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
• Pirated UltraEdit Software Hides macOS Malware Campaign