Critical (CVSS 9.9): Samlify Flaw Allows Unauthenticated SSO Bypass

A critical vulnerability has been discovered in Samlify, a library designed to integrate SAML authentication into Node.js applications, enabling attackers to bypass Single Sign-On (SSO) mechanisms and gain unauthorized access to administrative accounts. The flaw has been assigned the identifier CVE-2025-47949 and received a CVSS v4.0 score of 9.9, signifying the highest level of severity.

Samlify is widely adopted across the JavaScript development ecosystem—from SaaS platforms and internal enterprise tools to integrations with identity providers such as Azure AD and Okta. Its popularity is underscored by usage statistics, with over 200,000 weekly downloads via npm. However, the vulnerability affects all versions of Samlify released prior to 2.10.0.

The root of the issue lies in the mishandling of signed SAML XML documents. While Samlify correctly verifies the digital signature of the original document, it continues to parse and process unauthenticated data from unsigned portions of the same XML. This oversight enables an attacker to inject a secondary, malicious Assertion into the already signed XML without invalidating the signature structure.

If an attacker obtains access to a valid, signed SAML response—whether through interception or publicly available metadata—they can insert a forged assertion impersonating a target user, such as an administrator. The original digital signature remains valid and applies solely to the benign portion of the document, while the vulnerable service provider erroneously accepts and processes the tampered assertion.

Effectively, this leads to a complete compromise of SSO: the attacker can log in as another user with elevated privileges without resorting to social engineering, phishing, or credential theft. All that is required is a single, legitimately signed XML document.

To mitigate the risk, it is strongly advised to immediately upgrade Samlify to version 2.10.0. Although GitHub currently lists 2.9.1 as the latest release, the secure version is already available on npm. As of the time of publication, no active exploitation of CVE-2025-47949 has been reported, but developers and system administrators are urged to act swiftly to update and secure their infrastructure.