A significant security flaw has been identified in the widely utilized samlify library, potentially enabling attackers to bypass Single Sign-On (SSO) protections and gain unauthorized access to systems reliant on SAML for authentication. The vulnerability, designated CVE-2025-47949, has been assigned a critical rating of 9.9 out of 10 on the CVSS scale, indicating a severe risk to users.
This flaw affects all versions of the samlify library prior to 2.10.0 and has been classified as CWE-347: Improper Verification of Cryptographic Signature. According to a blog post by EndorLabs, the vulnerability allows cybercriminals to forge SAML Responses, resulting in complete authentication bypass and arbitrary user impersonation, including administrator accounts.
Samlify is designed to simplify the implementation of SAML 2.0 for SSO and Single Log-Out (SLO) by providing a high-level API, boasting over 200,000 weekly downloads on npm and 62 dependent packages. The flaw exploits weak XML signature validation in the samlify library, enabling attackers to manipulate XML documents signed by an identity provider (IdP), potentially acquired through methods such as man-in-the-middle attacks.
Researchers from Endor Labs have cautioned that the vulnerability significantly opens the door to SAML SSO bypass. The exploitation process requires minimal effort: it is easy to execute with no user interaction needed and does not necessitate elevated privileges. To mitigate the risks, it is essential for systems utilizing SAML authentication to update to samlify versions 2.10.0 or later and to implement secure protocols, ensuring that SAML flows avoid reliance on untrusted sources. Given that SAML-powered SSO is integral to numerous enterprise applications and SaaS integrations, this vulnerability poses a notable threat to sensitive data and privileged actions under impersonated identities.