A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.
node-saml loads the assertion from the original, unsigned SAML response document, which is separate from the fragments verified during digital signature verification. The discrepancy between the verified and actually processed part of the document allows the attacker to modify assertion content — for example, removing any character from the username — while maintaining a valid signature. The precondition for carrying out the attack is the attacker's possession of a legally signed document issued by the identity provider (IdP). The vulnerability is classified as CWE-287 (improper authentication) and CWE-347 (improper verification of cryptographic signature).
An attacker possessing a valid SAML document can assume the identity of another user or modify authentication attributes, gaining unauthorized access to protected resources.
The node-saml library should be updated to version 5.1.0, in which the issue has been fixed. The patch is available in the project's GitHub repository: https://github.com/node-saml/node-saml/releases/tag/v5.1.0
The node-saml library in version 5.0.1 and potentially earlier versions — Node.js applications using this library for SAML authentication handling.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N