CVE-2022-39299: 
JavaScript vulnerability analysis and mitigation

A critical security vulnerability (CVE-2022-39299) was discovered in passport-saml, affecting versions prior to 3.2.2 and node-saml versions before 4.0.0-beta.5. The vulnerability allows remote attackers to potentially bypass SAML authentication on websites implementing these packages. The issue was disclosed on October 11, 2022, and affects multiple related packages including @node-saml/node-saml, @node-saml/passport-saml, node-saml, and passport-saml (GitHub Advisory).

The vulnerability stems from an implementation flaw that incorrectly handles XML documents with multiple root elements. This breaks the fundamental assumption that there should only be a single root node in the XML tree. The vulnerability has been assigned a High severity rating, indicating its significant potential impact on affected systems (GitHub Advisory).

The vulnerability enables remote attackers to bypass SAML authentication mechanisms on affected websites. The attack can be executed if the attacker possesses an arbitrary IDP signed XML element. In some cases, depending on the Identity Provider (IDP) configuration, completely unauthenticated attacks might be possible if the generation of a signed message can be triggered (GitHub Advisory).

Users are strongly advised to upgrade to passport-saml version 3.2.2 or newer to address this vulnerability. For those using beta releases of node-saml, upgrading to version 4.0.0-beta.5 or later is recommended. If immediate patching is not possible, the only workaround is to disable SAML authentication entirely (GitHub Advisory).