Does CVE-2025-54419 affect passport-saml 3.x?

[oliverlockwood]

The vulnerability described in GHSA-4mxg-3p6v-xgq3 (CVE-2025-54419) is marked as affecting @node-saml/node-saml versions <=5.0.1.

@cjbarth I would be very grateful if you (or anyone else) could advise whether versions of passport-saml which predate the breakout of this library (which as far as I can tell was performed in version 4.0.0).

For example, is an implementation that uses passport-saml version 3.2.4 considered vulnerable?

Obviously, main branches should simply move forward to take the fix you have implemented, but it is a more nuanced question when it comes to older long-term supported software.

Thanks for your time.

[ahacker1-securesaml]

Yes, passport-saml 3.x is affected. I updated the advisory: GHSA-4mxg-3p6v-xgq3 to reflect this.

Obviously, main branches should simply move forward to take the fix you have implemented, but it is a more nuanced question when it comes to older long-term supported software.

Definitely. I strongly suggest sponsoring the maintainer if you want your feature requests to be put forward i.e. backporting security fixes.

What would you think about an "Enterprise Security Plan" for SAML Libraries (like node-saml). As you know SAML is very prone to security vulnerabilities, due to its fragile design.

We would (@SecureSAML), handle the security for the libraries. For example, we can give 2 weeks advanced notice of security vulnerabilities. This would be complemented with hot fixes and backports for the vulnerabilities.

Additionally, we would offer threat detection services, such as detecting malicious SAML responses, offer a managed ruleset (WAF like). Your SAML implementation would be certified as secure (very important for enterprise customers).

We would also make major security improvements with the funding. For example, refactoring the library to ensure that the authentication is proven secure. Integrating more security tests of all known SAML exploits. We would also quickly implement any feature requests.

Overall, the Enterprise Security Plan would ensure that your enterprise customers can securely login with SAML.

(Even if you aren't interest in buying, do you think that other companies would be interested?)

[ahacker1-securesaml]

@markstos I think you misunderstood my intention.

My intention was to provide a more managed service for users of node-saml, particularly those worried about security. Since, node-saml is a critical piece of login for many enterprise companies, it makes sense to create a secure version.

Of course, we can collaborate with Chris and you to develop the enterprise security plan. Your team would also receive part of the revenue. Right now, the amount of sponsorship that Chris gets is too small. Hence, we can't invest in stuff like new security designs, security improvements, and backports.

[srd90]

Will existing references (e.g. but not limited to https://www.cve.org/CVERecord?id=CVE-2025-54419, https://security.snyk.io/vuln/SNYK-JS-NODESAMLNODESAML-11172934) be updated accordingly, also?

GHSA-4mxg-3p6v-xgq3

I see that the vulnerable versions have been updated in the advisory database. So I believe what happens is that GitHub CNA will contact CVE authority, and update the CVE record with the updated versions.

@ahacker1-securesaml IMHO situation looks a bit odd at least at here: https://security.snyk.io/package/npm/%40node-saml%2Fnode-saml

• version 5.0.1 is flagged only with: https://security.snyk.io/vuln/SNYK-JS-NODESAMLNODESAML-10946570 ( which is CVE-2025-54369 aka GHSA-m837-g268-mmv7 )
  • note: aforementioned advisory is the one that contains CVE which was "issued due error"
  • version 5.0.1 should be flagged also / especially with CVE-2025-54419
• https://security.snyk.io/vuln/SNYK-JS-NODESAMLNODESAML-11172934 ( which is CVE-2025-54419 aka GHSA-4mxg-3p6v-xgq3 ) flags only versions < 5.0.1
  • it should flag < 5.1.0

About GHSA-4mxg-3p6v-xgq3

It seems that at least these

• https://security.snyk.io/vuln/SNYK-JS-NODESAMLNODESAML-11172934
• https://nvd.nist.gov/vuln/detail/CVE-2025-54419

have not been updated at all after initial release even though GHSA-4mxg-3p6v-xgq3 has been updated at least twice with new/updated information: https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2025/07/GHSA-4mxg-3p6v-xgq3/GHSA-4mxg-3p6v-xgq3.json

• version range from 5.0.1 to <= 5.0.1
  github/advisory-database@5532c1b#diff-056d3a4de717278e3591091f431b03adc8e7cbc7284cd4ffb50a6641ed7d2e68
• deprecated passport-saml added to advisory:
  github/advisory-database@ad36c01#diff-056d3a4de717278e3591091f431b03adc8e7cbc7284cd4ffb50a6641ed7d2e68
  • result of this modification should show up e.g. here
    https://security.snyk.io/package/npm/passport-saml

[ahacker1-securesaml]

ok, we can create and release a new security advisory

[srd90]

If someone has Snyk account that someone could report to Snyk that

• https://security.snyk.io/vuln/SNYK-JS-NODESAMLNODESAML-11172934
  • aka GHSA-4mxg-3p6v-xgq3 aka CVE-2025-54419

has mistake because at the time of writing it flags < 5.0.1 and mitigation description states that:

Upgrade @node-saml/node-saml to version 5.0.1 or higher.

even though initial version of GHSA-4mxg-3p6v-xgq3 already stated that patched version is 5.1.0

While someone with Snyk account is reporting aforementioned mistake maybe that someone could suggest at same mistake report (link to mistake report is at the end of Snyk record page) that they take a look at upgraded https://github.com/advisories/GHSA-4mxg-3p6v-xgq3 and adjust Snyk side record accordingly...i.e. add also e.g. passport-saml to Snyk side record.

[srd90]

FWIW there is now dedicated issue for discussed CVE content/information related problem:

• [BUG] discrepency between impacted versions between GHSA-4mxg-3p6v-xgq3 and CVE-2025-54419 node-saml#404