An important samlifee certification bypass vulnerability has been discovered that allows the attackers to transplant the administrative users by injecting the non -signed malicious claims in SAML reactions.
Samlife is a high-level certification library that helps developers to integrate SAML SSO and single log-out (slo) in Node.JS applications. It is a popular tool for manufacture or connecting or connecting Identity Providers (IDPs) and service providers (SPS) using SAML.
The library is used in developers and Federated Ident Management Stepsks integrating with corporate identification providers such as ezor ED or OkTA applying SSOs for mother -in -law platforms, internal devices, developers and federated Identification Management. It is very popular, measuring more than 200,000 weekly downloads on NPM.
Dosual, tracked as Cve-2025-47949An important is (CVSS V4.0 Score: 9.9) Signature Rapping Dosha affects all versions of Samlife before 2.10.0.
As Endorlabes explained in a report, Samlife correctly verify that the XML document providing the user identification is signed. Nevertheless, it proceeds to read a fake claim from a part of XML which is not.
The attackers with a legitimate signed SAML reaction through the blockage or through public metadata can modify it to take advantage of the parsing defects in the library and to certify it as someone else.
“The attacker then takes this legitimately signed XML document and manipulates it. They insert each other, malicious SAML claims in the document,” Endorlabs explain,
“This malicious claim involves the identity of a goal user (eg, user name of an administrator).”
“The important part is that the valid sign from the original document still applies to a gentle part of the XML structure, but the weak parsing logic of the SP will inadvertently process the incompatible, malicious claim.”
It is a complete SSO bypass, allowing unauthorized distance attackers to increase privileges and log in as administrators.
The attacker does not require a user interaction or special privileges, and the only requirement is accessible to a valid signed XML drop, which makes the exploitation relatively simple.
To reduce the risk, it is recommended that the users upgrade version 2.10.0 released earlier this month to the Samlife version.
Note that github Still provides 2.9.1 As the latest version, but NPM hosters Safe-to-use 2.10.0 as writing.
There is no report of active exploitation of CVE-2025–47949 in the wild, but affected users are advised to take immediate action and secure their environment.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
