Overview

Samlify version 2.10.0 addresses a critical security vulnerability (CVE-2025-47949) related to a Signature Wrapping attack in versions prior to 2.10.0. This release includes critical fixes to prevent attackers from forging SAML Responses to authenticate as any user. All users are strongly recommended to upgrade to version 2.10.0 to mitigate this risk.
Security Fixes

CVE-2025-47949: Signature Wrapping Attack Vulnerability

• Issue: A vulnerability in Samlify versions prior to 2.10.0 allowed attackers to exploit improper validation of signed XML documents, enabling them to forge a SAML Response and authenticate as any user, provided they had a signed XML document from the identity provider.
• Fix: Enhanced validation of signed XML documents to prevent Signature Wrapping attacks, ensuring secure SAML-based single sign-on (SSO) authentication.
  Impact: This vulnerability had a CVSS score of 9.9, indicating a critical severity. It posed a high-priority risk for SAML-based SSO systems.
• Recommendation: Immediately upgrade to Samlify version 2.10.0 or later to address this vulnerability.

Ensure that your application is thoroughly tested after upgrading to confirm compatibility with your SAML-based SSO implementation.
References

GitHub Security Advisory: GHSA-r683-v43c-6xqv
CVE Details: CVE-2025-47949

Acknowledgments

We thank the security researchers and contributors who identified and reported this vulnerability, enabling us to deliver a timely fix to protect our users. @ahacker1-securesaml

Full Changelog: v2.9.1...v2.10.0

• Fix escapeTag for non-string replacement values. (#561) - @mastermatt
• Bump xml-crypto (#559) - @JacobBrackett (since v2.9.0)

What's Changed

• Adds allowCreate documentation by @sunsheeppoplar in #540
• Bump braces from 3.0.2 to 3.0.3 by @dependabot in #542
• Bump micromatch from 4.0.5 to 4.0.8 by @dependabot in #546
• Bump cross-spawn from 7.0.3 to 7.0.6 by @dependabot in #553
• Bump xml-crypto by @JacobBrackett in #559
• Fix escapeTag for non-string replacement values. by @mastermatt in #561

New Contributors

• @sunsheeppoplar made their first contribution in #540
• @JacobBrackett made their first contribution in #559

Full Changelog: v2.8.11...v2.9.1

• Xml entity escape @Munawwar
• Add dom parser options for context customization #535 @bsShoham

fix encryption for @xmldom/xmldom 0.8.6 upgrade #511 (@mastermatt)

fix: system locale effects camelcase conversion #507 (@ayZagen)
fix: support unencrypted PKCS#8 keys again #503 (@mastermatt)

• extract sessionIndex from LogoutRequest #501 (@zentooo)
• allow arrays of certs #499 (@mastermatt)
• fix init issue in logoutResponseRedirectURL function #496 (@wujjpp)

Upgrade @xmldom/xmldom to v0.8.3 to include the security patch (#492) @dan-diaz
Upgrade uuid version (#486) @andrew-m-civica

What's Changed

• Fixes issue with SAMLSignature method not using default transformations by @stjeffrey in #473
• Makes normalizeCerString() handle inserted tabs (fixes issue with Okta) by @hackerceo in #481

New Contributors

• @stjeffrey made their first contribution in #473
• @hackerceo made their first contribution in #481

This note is automatically generated.

• Update node-xml-encryption with the latest upstream update for security patch (#474)
• Fix broken tests after upgrade
• Take default encryption key algorithm as http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
  • The previous default is no longer to be recommended, for more detail, https://github.com/auth0/node-xml-encryption/blob/291f3f10d5d1d571a3b6da2d411aa323398f5650/lib/xmlenc.js#L54-L56
• Upgrade dev dependencies