Overview
Samlify version 2.10.0 addresses a critical security vulnerability (CVE-2025-47949) related to a Signature Wrapping attack in versions prior to 2.10.0. This release includes critical fixes to prevent attackers from forging SAML Responses to authenticate as any user. All users are strongly recommended to upgrade to version 2.10.0 to mitigate this risk.
Security Fixes
CVE-2025-47949: Signature Wrapping Attack Vulnerability
- Issue: A vulnerability in Samlify versions prior to 2.10.0 allowed attackers to exploit improper validation of signed XML documents, enabling them to forge a SAML Response and authenticate as any user, provided they had a signed XML document from the identity provider.
- Fix: Enhanced validation of signed XML documents to prevent Signature Wrapping attacks, ensuring secure SAML-based single sign-on (SSO) authentication.
Impact: This vulnerability had a CVSS score of 9.9, indicating a critical severity. It posed a high-priority risk for SAML-based SSO systems. - Recommendation: Immediately upgrade to Samlify version 2.10.0 or later to address this vulnerability.
Ensure that your application is thoroughly tested after upgrading to confirm compatibility with your SAML-based SSO implementation.
References
GitHub Security Advisory: GHSA-r683-v43c-6xqv
CVE Details: CVE-2025-47949
Acknowledgments
We thank the security researchers and contributors who identified and reported this vulnerability, enabling us to deliver a timely fix to protect our users. @ahacker1-securesaml
Full Changelog: v2.9.1...v2.10.0
