CVE-2022-39299

HIGH

passport-saml < 3.2.2 - Authentication Bypass via SAML Signature Verification Flaw

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-39299. PoCs published by doyensec, KaztoRay.

AI-analyzed exploit summary This repository contains a functional exploit generator for CVE-2022-39299, which allows authentication bypass in multi-tenant applications using passport-saml for SAML SSO. The exploit leverages a signature validation flaw where multiple root elements in a SAML response can bypass signature checks.

Description

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.

Exploits (2)

nomisec WORKING POC 19 stars

by doyensec · poc

https://github.com/doyensec/CVE-2022-39299_PoC_Generator

View Code ZIP pw:eip

This repository contains a functional exploit generator for CVE-2022-39299, which allows authentication bypass in multi-tenant applications using passport-saml for SAML SSO. The exploit leverages a signature validation flaw where multiple root elements in a SAML response can bypass signature checks.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: passport-saml (versions before the patch)

No auth needed

Prerequisites: Access to a signed SAML message without assertions (e.g., error message) · Ability to configure SAML SSO settings in the target platform

MITRE ATT&CK

T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec STUB 6 stars

by KaztoRay · poc

https://github.com/KaztoRay/CVE-2022-39299-Research

View Code ZIP pw:eip

The repository contains only a README file with a title and a single line of text in Korean, indicating it is a placeholder or stub with no actual exploit code or technical details.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html

Patch, Third Party Advisory

https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e

View Patch ZIP pw:eip

Third Party Advisory

https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7

Scores

CVSS v3 7.4

EPSS 0.0465

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-347

Status published

Products (6)

node-saml/node-saml 0 - 4.0.0-beta.5npm

node-saml/passport-saml 0 - 4.0.0-beta.3npm

npm/node-saml 0 - 4.0.0-beta.5npm

npm/passport-saml 0 - 3.2.2npm

passport-saml_project/passport-saml 4.0.0 beta1 (4 CPE variants)

passport-saml_project/passport-saml < 3.2.2

Published Oct 12, 2022

Tracked Since Feb 18, 2026