Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/602176?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/602176?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.6", "type": "npm", "namespace": "", "name": "passport-wsfed-saml2", "version": "3.0.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.6.4", "latest_non_vulnerable_version": "4.6.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/348429?format=api", "vulnerability_id": "VCID-2af8-wagn-1bch", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23505", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61443", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61547", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.61554", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00405", "scoring_system": "epss", "scoring_elements": "0.6155", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23505" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/pull/179", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/pull/179" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-ppjq-qxhx-m25f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-ppjq-qxhx-m25f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23505", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23505" }, { "reference_url": "https://github.com/advisories/GHSA-ppjq-qxhx-m25f", "reference_id": "GHSA-ppjq-qxhx-m25f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ppjq-qxhx-m25f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/383992?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.3" } ], "aliases": [ "CVE-2022-23505", "GHSA-ppjq-qxhx-m25f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2af8-wagn-1bch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97156?format=api", "vulnerability_id": "VCID-pd36-w65s-m3bn", "summary": "passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46753", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46743", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46598", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56426", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46573" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46573" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_id": "e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181" }, { "reference_url": "https://github.com/advisories/GHSA-8gqj-226h-gm8r", "reference_id": "GHSA-8gqj-226h-gm8r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8gqj-226h-gm8r" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r", "reference_id": "GHSA-8gqj-226h-gm8r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378905?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.4" } ], "aliases": [ "CVE-2025-46573", "GHSA-8gqj-226h-gm8r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pd36-w65s-m3bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361097?format=api", "vulnerability_id": "VCID-ts2m-7jet-ekgn", "summary": "passport-wsfed-saml2 Signature Bypass vulnerability\n## Information\nPlease note that this is not a new disclosure, and is previously reported in our [SECURITY-NOTICE.md](https://github.com/auth0/passport-wsfed-saml2/commit/520b9fc0bb4249ce83bec47e30153419f086ab70\n) which we removed in favor of github advisory. \n\n# Overview\n\nA vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the \"Signature\" tag is at the proper location inside an \"Assertion\" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while maintaining the signature valid. This could allow an authenticated attacker to \"remove\" one group from the assertion or corrupt another field of an assertion.\n\n# Am I affected?\n\nYou are affected if you are using the passport-wsfed-saml2 library to version < 3.0.10\n\n# How do I fix it?\n\nYou may fix this issue by upgrading passport-wsfed-saml2 library to version 3.0.10 or above. \n\n# Will the fix impact my users?\n\nThis fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.", "references": [ { "reference_url": "https://github.com/auth0/passport-wsfed-saml2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/commit/f75211d42d2586a0d24a9da29ba8590e42363500", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/commit/f75211d42d2586a0d24a9da29ba8590e42363500" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/pull/79", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/pull/79" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-5wrg-8fxp-cx9r", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-5wrg-8fxp-cx9r" }, { "reference_url": "https://github.com/advisories/GHSA-5wrg-8fxp-cx9r", "reference_id": "GHSA-5wrg-8fxp-cx9r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5wrg-8fxp-cx9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381869?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.10" } ], "aliases": [ "GHSA-5wrg-8fxp-cx9r", "GMS-2023-1886" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ts2m-7jet-ekgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97476?format=api", "vulnerability_id": "VCID-v41f-jhng-wufz", "summary": "passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46572", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54241", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54223", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00304", "scoring_system": "epss", "scoring_elements": "0.54098", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.62188", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46572" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46572", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46572" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_id": "e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-06T20:42:56Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181" }, { "reference_url": "https://github.com/advisories/GHSA-wjmp-wphq-jvqf", "reference_id": "GHSA-wjmp-wphq-jvqf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wjmp-wphq-jvqf" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-wjmp-wphq-jvqf", "reference_id": "GHSA-wjmp-wphq-jvqf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-06T20:42:56Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-wjmp-wphq-jvqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378905?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.4" } ], "aliases": [ "CVE-2025-46572", "GHSA-wjmp-wphq-jvqf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v41f-jhng-wufz" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.6" }