CVE-2025-54369
CRITICALnode-saml < 5.1.0 - Improper Verification of Cryptographic Signature
Title source: llmDescription
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7
Patch x_refsource_misc
https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10
Release Notes x_refsource_misc
https://github.com/node-saml/node-saml/releases/tag/v5.1.0
Scores
CVSS v4
9.3
EPSS
0.0040
EPSS Percentile
32.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-347
CWE-87
Status
published
Products (3)
node-saml/node-saml
0 - 5.1.0npm
node-saml/node-saml
< 5.1.0
npm/node-saml
0npm
Published
Jul 24, 2025
Tracked Since
Feb 18, 2026