In the Samlify library, which is designed to integrate SAML authentication into apps on node.js, a critical vulnerability was discovered that allows bypassing the system of single sign-on (SSO) and gaining unauthorized access to administrative accounts. The error was assigned the identifier CVE-2025-47949 and a CVSS V4.0 score of 9.9, indicating the highest level of hazard.
Samlify is widely used in the JavaScript ecosystem, from SAAS platforms and internal corporate tools to integrations with identity providers like Azure Ad and Okta. The library has over 200 thousand downloads per week through NPM, highlighting its popularity. However, the vulnerability affects all versions of Samlify up to release 2.10.0.
The issue lies in the incorrect processing of signed SAML XML documents by Samlify. While the library correctly verifies the digital signature of the original document, it still processes unsigned data from the same XML file. This allows attackers to insert a malicious statement into the signed XML without invalidating the signature.
An attacker with access to a signed SAML response, either through interception or from public metadata, can insert a false statement with the name of the target user, such as an administrator. The original digital signature remains valid and points to the secure part of the document, while the vulnerable service provider processes the substituted statement unknowingly.
This flaw ultimately results in a complete compromise of SSO, enabling attackers to enter the system as another user with higher privileges without the need for social engineering, phishing, or credential substitution. All that is required is one correctly signed XML document.
To address the vulnerability, it is recommended to promptly update Samlify to version 2.10.0. Although the latest release is 2.9.1, a safe version is already available on npm. While real-world incidents of CVE-2025-47949 exploitation have not been reported at this time, developers and administrators are urged to take immediate action to update and secure their infrastructure.