Authentication: Critical gap in Samlify turns attackers into admins

Admins who implement single sign-on logins (SSO) via the widely used Node.js library Samlify should install the available security patch promptly. If this is not done, attackers can bypass authentication and access systems with far-reaching rights.

Security problem

Samlify simplifies the implementation of the SAML standard (Security Assertion Markup Language) to enable SSO logins in web applications. The "critical" vulnerability (CVE-2025-47949) was discovered by security researchers from Endor Labs. In a report, they state that attacks are possible with comparatively little effort. However, there is one hurdle.

To launch attacks, attackers must be in possession of an XML document signed by the identity provider. Access to such a document is possible as a man-in-the-middle. They can then manipulate the document with the username of an admin, for example. Because cryptographic signatures are not verified correctly due to the vulnerability, they can log in as an admin.

Secure systems

Samlify is widespread and is used in large companies and cloud environments, among others. The module is downloaded around 200,000 times a week from the package manager npm. Although there are currently no reports of attacks, this could change quickly. Accordingly, admins should act quickly.

To protect systems from the attack described, admins must install Samlify 2.10.0. All previous versions are said to be vulnerable. Caution: The vulnerable version 2.9.1 is still available for download from Github. The secure version is already available for download in the npm package manager.

(des)