CVE-2022-23505: 
JavaScript vulnerability analysis and mitigation

Passport-wsfed-saml2, a ws-federation protocol and SAML2 tokens authentication provider for Passport, was found to contain a significant authentication bypass vulnerability in versions prior to 4.6.3. The vulnerability was assigned CVE-2022-23505 and was disclosed on December 13, 2022. The affected component is the WSFed authentication mechanism within the passport-wsfed-saml2 library (GitHub Advisory).

The vulnerability is classified as an authentication bypass issue (CWE-287) that allows remote attackers to circumvent WSFed authentication when they possess an arbitrary IDP signed assertion. The severity of this vulnerability has been rated as HIGH with a CVSS v3.1 base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high impact on confidentiality but no impact on integrity or availability (NVD).

The vulnerability could allow remote attackers to bypass authentication mechanisms on websites implementing the affected library. In some cases, depending on the Identity Provider (IDP) configuration, fully unauthenticated attacks might be possible if an attacker can trigger the generation of a signed message (GitHub Advisory).

Users should upgrade to version 4.6.3 or later to address this vulnerability. As a workaround, organizations can switch to using SAML2 authentication instead of WSFed, as the SAML2 protocol is not affected by this vulnerability. The fix implementation does not impact end users (GitHub Advisory).