CVE-2022-39299

HIGH

Passport-saml < 3.2.2 - Signature Verification Bypass

Title source: rule

Description

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.

Exploits (2)

nomisec WORKING POC 19 stars

by doyensec · poc

https://github.com/doyensec/CVE-2022-39299_PoC_Generator

View Code ZIP pw:eip

nomisec STUB 6 stars

by KaztoRay · poc

https://github.com/KaztoRay/CVE-2022-39299-Research

View Code ZIP pw:eip

References (3)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html

[Patch, Third Party Advisory] https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e

[Third Party Advisory] https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7

Scores

CVSS v3 7.4

EPSS 0.0345

EPSS Percentile 87.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-347

Status published

Products (6)

node-saml/node-saml 0 - 4.0.0-beta.5npm

node-saml/passport-saml 0 - 4.0.0-beta.3npm

npm/node-saml 0 - 4.0.0-beta.5npm

npm/passport-saml 0 - 3.2.2npm

passport-saml_project/passport-saml 4.0.0 beta1 (4 CPE variants)

passport-saml_project/passport-saml < 3.2.2

Published Oct 12, 2022

Tracked Since Feb 18, 2026