Warning: Critical Signature Wrapping Vulnerability in Samlify Library for SAML Single Sign On, Patch Immediately!

    * Last update:  20/05/2025
   
    * Affected software: Samlify prior to version 2.10.0
 
    * Type: Signature Wrapping attack
 
    * CVE/CVSS: CVE-2025-47949: CVSS 9.9 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Sources

Samlify - https://github.com/tngan/samlify/security/advisories/GHSA-r683-v43c-6xqv

Risks

Successful exploitation of this vulnerability, CVE‑2025‑47949, could an attacker to bypass authentication mechanisms, enabling the attacker to gain unauthorized access to systems and applications using the samlify library for SAML-based single sign-on.

The exploitation of this vulnerability can compromise the integrity of the authentication process.

Description

CVE‑2025‑47949 is a Signature Wrapping attack that has been identified in samlify Node.js library for SAML single sign-on. However, versions prior to 2.10.0 are vulnerable.
An attacker could exploit this vulnerability to forge a SAML Response, enabling the threat actor to authenticate as any user by manipulating a signed XML document from the identity provider. If successfully executed, this could lead to unauthorized access to sensitive user data and systems.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Tenable - https://www.tenable.com/cve/CVE-2025-47949
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-47949