CVE-2021-39171: 
JavaScript vulnerability analysis and mitigation

Passport-SAML, a SAML 2.0 authentication provider for Passport and Node.js authentication library, was found to contain a vulnerability (CVE-2021-39171) disclosed on August 27, 2021. Prior to version 3.1.0, the library allowed unlimited transforms in SAML payloads, which could be exploited to consume significant system resources (AttackerKB).

The vulnerability stems from the library's handling of SAML transforms, where it did not impose any limits on the number of transforms that could be processed in a signed node. According to W3C XML Signature best practices, a WebSSO profile shouldn't have more than 2 transforms - typically an 'enveloped-signature' and an exclusive canonicalization transform (GitHub PR).

When exploited, this vulnerability could lead to a denial-of-service condition by consuming significant system resources during the processing of malicious SAML payloads. The attack could be executed through specially crafted SAML messages that would force the system to process an excessive number of transforms, resulting in reduced or denied service (GitHub Advisory).

The vulnerability was resolved in version 3.1.0 of passport-saml. The fix implements a limit of 2 transforms for signed nodes, which aligns with the W3C XML Signature best practices. Users are advised to upgrade to version 3.1.0 or later to address this security issue (GitHub Advisory).