Severe Vulnerability in Samlify SSO Allows Unauthorized Administrative Access

A significant vulnerability has been identified in the Samlify authentication library, enabling malicious actors to gain administrative access by injecting unsigned harmful assertions into validly signed SAML responses.

Samlify is widely utilized for integrating SAML Single Sign-On (SSO) and Single Log-Out (SLO) into Node.js applications. It is particularly favored among software as a service (SaaS) platforms, businesses implementing SSO for internal applications, and developers working with corporate identity providers such as Azure AD or Okta. This library has a substantial user base, with over 200,000 weekly downloads from npm.

This vulnerability, recorded under the identifier CVE-2025-47949, has been classified as critical, receiving a CVSS v4.0 score of 9.9. It affects all versions of Samlify prior to 2.10.0. According to a report from EndorLabs, while Samlify appropriately verifies the signature of the XML document that contains the user’s identity, it inadequately addresses malicious assertions found in a different section of the XML structure.

Attackers who have access to a legitimate signed SAML response—whether through interception or publicly accessible metadata—can leverage this library’s parsing inadequacies. By modifying the signed XML document, they can insert a malicious SAML assertion containing the identity of a target user, such as an administrator.

The exploitation occurs due to the vulnerable parsing logic employed by service providers (SPs), causing the system to process the unsigned malicious assertion while still honoring the valid signature from the original XML document.

This creates a complete SSO bypass, enabling unauthorized individuals to escalate their privileges and log in as administrators without any user interaction or special permissions required to carry out the attack. The sole prerequisite for exploitation is access to a valid signed XML blob, facilitating a relatively straightforward attack methodology.

To mitigate this risk, it is advisable for users to upgrade to Samlify version 2.10.0, which was released earlier this month. Notably, while GitHub continues to list version 2.9.1 as the latest release, npm currently hosts the secure version 2.10.0.

As of now, there have been no reported incidents of CVE-2025-47949 being actively exploited in the wild; however, impacted users are strongly urged to take immediate action to secure their systems.