CVE-2025-46572 is a critical vulnerability affecting the auth0 passport-wsfed-saml2 library, which provides a passport strategy for WS-Federation and SAML2 authentication protocols. This vulnerability exists in versions from 3.0.5 up to and including 4.6.3. The flaw is categorized under CWE-287: Improper Authentication. It allows an attacker to impersonate any user during the SAML authentication process by crafting a malicious SAMLResponse. The attack requires the attacker to obtain a valid SAML object signed by the configured Identity Provider (IdP). Because the service provider relies on passport-wsfed-saml2 to validate SAML assertions, the vulnerability arises from improper validation or insufficient checks on the SAMLResponse, enabling the attacker to bypass authentication controls. The vulnerability does not require any privileges or user interaction to exploit and can be triggered remotely over the network. The issue was fixed in version 4.6.4 of the library. The CVSS 4.0 score is 9.3 (critical), reflecting the high impact on confidentiality and integrity, with no required privileges or user interaction, and ease of exploitation. No known exploits are reported in the wild yet, but the severity and nature of the vulnerability make it a high-risk threat for any organization using the affected versions of passport-wsfed-saml2 in their authentication flows.

For European organizations, this vulnerability poses a significant risk to identity and access management systems that rely on SAML or WS-Federation protocols via the passport-wsfed-saml2 library. Successful exploitation allows attackers to impersonate any user, including privileged accounts, leading to unauthorized access to sensitive systems and data. This can result in data breaches, unauthorized transactions, and lateral movement within networks. Given the widespread use of SAML-based Single Sign-On (SSO) in European enterprises, government agencies, and critical infrastructure, the impact could be severe, affecting confidentiality and integrity of user identities and access controls. The vulnerability undermines trust in federated authentication mechanisms, potentially disrupting business operations and compliance with regulations such as GDPR, which mandates strict controls on personal data access and processing. Additionally, the ability to impersonate users without detection could facilitate espionage, fraud, or sabotage, especially in sectors like finance, healthcare, and public administration.

European organizations should immediately audit their use of the passport-wsfed-saml2 library and identify any services employing versions between 3.0.5 and 4.6.3. The primary mitigation is to upgrade to version 4.6.4 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should implement compensating controls such as: 1) Restricting access to the Identity Provider’s signed SAML assertions to trusted parties only, minimizing the risk of attackers obtaining valid SAML objects. 2) Enhancing monitoring and logging of SAML authentication events to detect anomalies or suspicious authentication attempts. 3) Employing additional multi-factor authentication (MFA) layers beyond SAML assertions to reduce the risk of unauthorized access. 4) Reviewing and tightening SAML assertion validation logic at the service provider level, if customization is possible, to ensure strict adherence to signature verification and assertion conditions. 5) Conducting penetration testing focused on SAML authentication flows to identify potential exploitation paths. Finally, organizations should maintain up-to-date incident response plans to quickly address any suspected compromise related to this vulnerability.