samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue.
Signature Wrapping attack involves manipulating the structure of an XML document containing a SAML response — the attacker does not need to break the cryptographic signature, but exploits an error in its verification (CWE-347: Improper Verification of Cryptographic Signature). It is sufficient for the attacker to have any properly signed XML document issued by the identity provider. By manipulating the XML structure, the attacker can inject forged assertions containing any user identity, while the library incorrectly considers the signature as valid.
An attacker can authenticate as any user in the system — including as an administrator — without knowing the password or other authentication credentials, leading to complete account takeover and unauthorized access to protected resources.
The samlify library should be updated immediately to version 2.10.0, which contains a patch eliminating the vulnerability. Details are available in the project's GitHub repository and in the official security advisory (GHSA-r683-v43c-6xqv).
Node.js applications using the samlify library in versions earlier than 2.10.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSamlify Project Samlify
APPSamlify Project< 2.10.0
Related vulnerabilities
samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution...
An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 ...