Critical Node-SAML Flaw (CVE-2025-54419, CVSS 10.0) Allows Authentication Bypass in SAML 2.0 Web Apps
Do Son 
A newly disclosed critical vulnerability in Node-SAML, a widely used SAML 2.0 authentication provider for Node.js, could allow attackers to manipulate signed login responses—potentially enabling authentication bypass attacks against web applications.
With over 258,000 downloads per week, Node-SAML is a popular library integrated into authentication flows for web applications that rely on Security Assertion Markup Language (SAML). The vulnerability, tracked as CVE-2025-54419, has received a CVSS score of 10.0, the highest possible severity rating.
“Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature,” the advisory explains.
The vulnerability stems from how Node-SAML parses and verifies SAML assertions. During authentication, SAML responses are digitally signed by an Identity Provider (IdP). These signatures are meant to guarantee the integrity and authenticity of the data received.
However, in affected versions of Node-SAML, the application loads and trusts parts of the SAML assertion from an unsigned portion of the response document—effectively bypassing the digital signature validation.
“This allows an attacker to modify authentication details within a valid SAML assertion,” including critical identity fields such as usernames.
This flaw could let an attacker tamper with the assertion after it’s been signed—for example, by removing characters from a username or changing identity attributes—without invalidating the signature.
To exploit the vulnerability, an attacker would need access to a validly signed SAML document issued by the trusted IdP—either through compromise, misconfiguration, or replay.
Once in possession of such a document, the attacker could:
- Forge user identities
- Escalate privileges
- Bypass multi-factor authentication
- Gain unauthorized access to protected resources
This makes CVE-2025-54419 particularly dangerous in single sign-on (SSO) environments where SAML assertions are central to identity and access management.
The Node-SAML team has released version 5.1.0, which includes a patch for this vulnerability. The update ensures that only authenticated and verified contents of the SAML assertion are processed, preventing unauthorized modifications.
Related Posts:
- Critical Node-SAML Flaw (CVE-2025-54369) Exposes SAML 2.0 to Authentication Bypass
- Security Alert: Squid Proxy’s Unresolved Vulnerabilities
- Security Boost: Apple Strengthens Gatekeeper Protections in macOS Sequoia
- Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
