A security flaw has been discovered in Samlify, a popular Single Sign-On (SSO) library used in Node.js applications. This critical vulnerability allows hackers to log in as admin users without needing a password or any user interaction. The flaw, identified as CVE-2025-47949, has received a CVSS v4.0 severity score of 9.9 out of 10, highlighting its dangerous potential.
Samlify
Samlify is a widely used authentication library that helps developers integrate SAML-based Single Sign-On (SSO) and Single Log-Out (SLO) in Node.js apps. It plays a key role in connecting identity providers (IdPs) like Okta and Azure AD to service providers (SPs), enabling secure user authentication.
Thanks to its ease of use and flexibility, Samlify is used by:
SaaS platforms
Enterprise applications
Developers integrating corporate SSO
Federated identity management systems
According to npm, the library has more than 200,000 weekly downloads, showing its popularity and wide adoption.
The Vulnerability
The vulnerability affects all versions of Samlify before 2.10.0 and is classified as a Signature Wrapping flaw. Signature wrapping is a type of attack where a hacker takes advantage of how XML digital signatures are processed during SAML authentication.
In this case, even though Samlify correctly verifies that the SAML XML response is digitally signed, it fails to verify all parts of the XML. This creates an opportunity for attackers.
According to EndorLabs, which discovered the flaw, here’s how the attack works:
Step 1: The attacker obtains a legitimately signed SAML response, either by intercepting it or through public metadata shared by the identity provider.
Step 2: They then modify this response by injecting a malicious, unsigned SAML Assertion into a different part of the XML.
Step 3: This fake assertion contains the identity of a privileged user, such as an admin.
Step 4: Although the XML’s signature is still valid for the original portion of the document, the vulnerable Samlify library incorrectly processes the malicious part as if it were legitimate.
In short, the attacker can bypass SSO protections and log in as an administrator or any other user, gaining full control without needing a password.
Why This is Dangerous
No user interaction needed: Attackers don’t need the victim to click any links or open any files.
No special privileges required: Exploitation can occur without internal access.
Full admin access: Attackers can impersonate high-privilege users and gain control of critical systems.
Simple execution: All it takes is access to a valid signed XML file.
This makes the vulnerability especially dangerous for companies relying on Samlify for securing their user identities.
Recommendation
To protect against this vulnerability, all users are strongly urged to upgrade to Samlify version 2.10.0, which was released earlier this month. This version contains the security patch that resolves the issue.
It’s important to note that:
GitHub still shows version 2.9.1 as the latest version.
However, npm has version 2.10.0 available, and this is the safe version to use.
Developers and DevOps teams should verify that their applications are using the latest version from npm and not relying on older, vulnerable versions from other sources.
As of now, there are no confirmed reports of CVE-2025-47949 being actively exploited in the wild. However, because the flaw is easy to exploit and highly dangerous, security experts are urging organizations to take proactive steps.
Here are some immediate actions to secure your systems:
Update to Samlify 2.10.0 as soon as possible.
Review your SAML configuration to ensure robust validation of all assertions.
Check your logs for any unusual authentication activities.
Audit access controls for critical applications and services.
This vulnerability highlights how critical it is to keep dependencies up to date, especially those related to authentication and user identity. Even well-used libraries like Samlify can contain flaws that open the door for dangerous attacks.
Companies using SAML-based authentication should not delay patching this issue, as attackers could exploit this weakness at any time. Staying informed, updating regularly, and following best practices for secure SAML implementation are key to protecting sensitive data and user accounts.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Trojanized KeePass Password Manager Targets ESXi Servers