CVE-2025-46572: 
JavaScript vulnerability analysis and mitigation

CVE-2025-46572 affects passport-wsfed-saml2, a package that provides passport strategy for both WS-fed and SAML2 protocol. The vulnerability was discovered and disclosed on May 6, 2025, affecting versions 3.0.5 through 4.6.3. This vulnerability allows attackers to impersonate any user during SAML authentication by crafting a SAMLResponse using a valid SAML object signed by the configured Identity Provider (NVD, GitHub Advisory).

The vulnerability is classified as an improper authentication issue (CWE-287) in the SAML authentication process. It has been assigned a CVSS v4.0 score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. The vulnerability specifically relates to SAML Signature Wrapping, where the authentication mechanism fails to properly validate SAML responses (NVD, Wiz).

The vulnerability allows attackers to bypass authentication controls and impersonate any user during SAML authentication. This can lead to unauthorized access to user accounts and potential compromise of sensitive information. The impact is particularly severe as it affects the core authentication mechanism of the service (GitHub Advisory).

The vulnerability has been patched in version 4.6.4 of passport-wsfed-saml2. Users are strongly advised to upgrade to this version or later to address the security issue. No alternative workarounds have been provided (GitHub Advisory).