CVE-2025-47949: Samlify Authentication Bypass Vulnerability

A newly disclosed vulnerability, CVE-2025-47949, has sent ripples through the Node.js developer community. Affecting the widely used samlify library, this critical flaw enables attackers to bypass authentication mechanisms, posing a significant risk to systems relying on SAML-based Single Sign-On (SSO).

With a CVSS v4.0 score of 9.9, the vulnerability demands immediate attention from developers and system administrators alike.

What is CVE-2025-47949?

CVE-2025-47949 is a critical Signature Wrapping vulnerability identified in Samlify versions prior to v2.10.0. In simple terms, this bug allows attackers to manipulate signed SAML responses in a way that bypasses authentication and grants unauthorized access.

The issue stems from improper cryptographic signature verification, specifically classified under CWE-347.

Quick details on CVE-2025-47949 via SOCRadar’s Vulnerability Intelligence

What is samlify and why does this vulnerability matter?

Samlify is a Node.js library designed to simplify the integration of SAML 2.0 for SSO and Single Logout (SLO). It is popular among developers for its abstraction of complex SAML protocol details, making it easier to build both Identity Providers (IdPs) and Service Providers (SPs). With around 207,000 weekly downloads on npm, the samlify library is integrated into a broad array of enterprise applications, cloud services, and internal developer tools.

Given its widespread use, any security flaw in Samlify can have cascading impacts across numerous platforms that rely on it for secure authentication. CVE-2025-47949 poses particularly high risks, including:

• Unauthorized access to user accounts, including administrators
• Complete bypass of SSO protections
• Potential compromise of sensitive data and internal resources

For organizations using SAML-based authentication via samlify, understanding and addressing this vulnerability is essential to maintaining secure access control.

SOCRadar’s Attack Surface Management (ASM) module, Company Vulnerabilities page

Enhance your organization’s resilience with SOCRadar’s Attack Surface Management (ASM) module. With integrated Digital Footprint monitoring, ASM helps you continuously discover and monitor your assets, identifying vulnerabilities like CVE-2025-47949 in real time.

Stay informed with critical alerts and reduce your exposure before attackers strike.

Which versions are affected by CVE-2025-47949?

All versions of Samlify prior to 2.10.0 are vulnerable. Users should note that although the library’s GitHub releases page currently lists the latest release as v2.9.1, the updated and patched version is available via npm.

How the Exploit Works

The vulnerability exploits flaws in how the samlify library parses and verifies SAML responses:

1. Obtain a Signed XML Document: An attacker first acquires a valid signed SAML response from the Identity Provider. This could happen through man-in-the-middle attacks or by leveraging publicly signed metadata.
2. Inject a Malicious Assertion: The attacker adds an unsigned SAML assertion containing arbitrary credentials, such as those of an admin user.
3. Leverage Signature Wrapping: The valid digital signature from the original response remains intact and is still accepted by the service provider. However, due to the flawed parsing logic in vulnerable samlify versions, the unsigned assertion is mistakenly used for authentication.

This process allows the attacker to authenticate as any user without needing privileges or user interaction.

Current Exploitation Status

As of now, there are no confirmed reports of active exploitation. However, due to the simplicity of the attack and the widespread use of Samlify, experts urge immediate patching. The issue was highlighted in a detailed report by EndorLabs, which breaks down the vulnerability and its risks.

Respond faster to emerging threats using SOCRadar’s Vulnerability Intelligence module. Access up-to-date insights on critical CVEs like CVE-2025-47949, track exploitation trends, and prioritize patching with confidence. It is your frontline tool for proactive vulnerability risk management.

SOCRadar’s Vulnerability Intelligence: Latest CVEs & exploit trends

How to Mitigate the CVE-2025-47949 Vulnerability

To protect your systems, take the following steps immediately:

• Upgrade to Samlify v2.10.0 or later via npm. This version includes a fix that properly validates cryptographic signatures.
• Review and secure your SSO flows. Ensure HTTPS is enforced, and avoid using untrusted or intercepted SAML responses.
• Monitor your systems for any signs of unauthorized access, especially if you have not yet applied the patch.

If your applications depend on samlify for SSO, patching to version 2.10.0 should be your top priority. Although there are no current reports of active exploitation, the ease with which this vulnerability can be abused leaves no room for delay. Stay secure and keep your dependencies up to date. You can find the security advisory directly on GitHub.