A newly disclosed vulnerability, CVE-2025-47949 (CVSSv4 9.9), has put countless Single Sign-On (SSO) implementations at risk by introducing a SAML Signature Wrapping (SSW) attack vector into the widely used samlify library. With over 768,000 downloads per month, the impact of this flaw is potentially enormousβaffecting enterprise-grade authentication systems worldwide.
samlify is a high-level Node.js API library for implementing SAML 2.0-based SSO (Single Sign-On). It enables developers to streamline federated identity authentication by easily importing identity provider metadata and configuring SAML entities.
The library has gained traction for its flexibility, making it a go-to choice for developers building scalable SAML-based authentication systems.
A critical SAML Signature Wrapping vulnerability has been identified in all samlify versions prior to v2.10.0, allowing an attacker to forge a malicious SAML Response and impersonate any user in the system.
The vulnerability stems from improper validation of the signed XML document, where an attacker can insert additional, unsigned assertions into the response. If the identity provider signs only one part of the XML, but the application accepts a different (unsigned) assertion, authentication controls can be completely bypassed.
To exploit this vulnerability, an attacker would:
Obtain a legitimate SAML Response signed by a trusted identity provider
Modify the XML structure to insert an unsigned malicious assertion
Ensure the application processes the malicious assertion instead of the signed one
This exploit enables authentication as any user, which could lead to privilege escalation, unauthorized access to sensitive systems, and lateral movement within enterprise environments.
All developers and organizations using samlify should immediately upgrade to version v2.10.0 or later.