Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/97156?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97156?format=api", "vulnerability_id": "VCID-pd36-w65s-m3bn", "summary": "passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.", "aliases": [ { "alias": "CVE-2025-46573" }, { "alias": "GHSA-8gqj-226h-gm8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378905?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.4" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13039?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-ts2m-7jet-ekgn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/602176?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-ts2m-7jet-ekgn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/602177?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-ts2m-7jet-ekgn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/602178?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-ts2m-7jet-ekgn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/602179?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-ts2m-7jet-ekgn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/381869?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/602180?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/602181?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/602182?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/602183?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/602184?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/602185?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/602186?format=api", "purl": "pkg:npm/passport-wsfed-saml2@3.0.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/602187?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602188?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/602189?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602190?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602191?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602192?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602193?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602194?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/602195?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/602196?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2af8-wagn-1bch" }, { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/383992?format=api", "purl": "pkg:npm/passport-wsfed-saml2@4.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pd36-w65s-m3bn" }, { "vulnerability": "VCID-v41f-jhng-wufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.3" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46753", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46743", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.46598", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56426", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46573" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/auth0/passport-wsfed-saml2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46573" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_id": "e5cf3cc2a53748207f7a81bfba9195c8efa94181", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181" }, { "reference_url": "https://github.com/advisories/GHSA-8gqj-226h-gm8r", "reference_id": "GHSA-8gqj-226h-gm8r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8gqj-226h-gm8r" }, { "reference_url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r", "reference_id": "GHSA-8gqj-226h-gm8r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/" } ], "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r" } ], "weaknesses": [ { "cwe_id": 287, "name": "Improper Authentication", "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct." }, { "cwe_id": 290, "name": "Authentication Bypass by Spoofing", "description": "This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.6 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pd36-w65s-m3bn" }