Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-pd36-w65s-m3bn

Summary passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.

Aliases

alias	CVE-2025-46573

alias	GHSA-8gqj-226h-gm8r

Fixed_packages

url	pkg:npm/passport-wsfed-saml2@4.6.4
purl	pkg:npm/passport-wsfed-saml2@4.6.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.4

Affected_packages

url pkg:npm/passport-wsfed-saml2@3.0.5

purl pkg:npm/passport-wsfed-saml2@3.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-ts2m-7jet-ekgn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.5

url pkg:npm/passport-wsfed-saml2@3.0.6

purl pkg:npm/passport-wsfed-saml2@3.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-ts2m-7jet-ekgn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.6

url pkg:npm/passport-wsfed-saml2@3.0.7

purl pkg:npm/passport-wsfed-saml2@3.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-ts2m-7jet-ekgn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.7

url pkg:npm/passport-wsfed-saml2@3.0.8

purl pkg:npm/passport-wsfed-saml2@3.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-ts2m-7jet-ekgn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.8

url pkg:npm/passport-wsfed-saml2@3.0.9

purl pkg:npm/passport-wsfed-saml2@3.0.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-ts2m-7jet-ekgn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.9

url pkg:npm/passport-wsfed-saml2@3.0.10

purl pkg:npm/passport-wsfed-saml2@3.0.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.10

url pkg:npm/passport-wsfed-saml2@3.0.11

purl pkg:npm/passport-wsfed-saml2@3.0.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.11

url pkg:npm/passport-wsfed-saml2@3.0.12

purl pkg:npm/passport-wsfed-saml2@3.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.12

url pkg:npm/passport-wsfed-saml2@3.0.13

purl pkg:npm/passport-wsfed-saml2@3.0.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.13

url pkg:npm/passport-wsfed-saml2@3.0.14

purl pkg:npm/passport-wsfed-saml2@3.0.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.14

url pkg:npm/passport-wsfed-saml2@3.0.15

purl pkg:npm/passport-wsfed-saml2@3.0.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.15

url pkg:npm/passport-wsfed-saml2@3.0.16

purl pkg:npm/passport-wsfed-saml2@3.0.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.16

url pkg:npm/passport-wsfed-saml2@3.0.17

purl pkg:npm/passport-wsfed-saml2@3.0.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@3.0.17

url pkg:npm/passport-wsfed-saml2@4.0.0

purl pkg:npm/passport-wsfed-saml2@4.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.0.0

url pkg:npm/passport-wsfed-saml2@4.0.1

purl pkg:npm/passport-wsfed-saml2@4.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.0.1

url pkg:npm/passport-wsfed-saml2@4.1.0

purl pkg:npm/passport-wsfed-saml2@4.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.1.0

url pkg:npm/passport-wsfed-saml2@4.2.0

purl pkg:npm/passport-wsfed-saml2@4.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.2.0

url pkg:npm/passport-wsfed-saml2@4.3.0

purl pkg:npm/passport-wsfed-saml2@4.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.3.0

url pkg:npm/passport-wsfed-saml2@4.4.0

purl pkg:npm/passport-wsfed-saml2@4.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.4.0

url pkg:npm/passport-wsfed-saml2@4.5.0

purl pkg:npm/passport-wsfed-saml2@4.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.5.0

url pkg:npm/passport-wsfed-saml2@4.5.1

purl pkg:npm/passport-wsfed-saml2@4.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.5.1

url pkg:npm/passport-wsfed-saml2@4.6.0

purl pkg:npm/passport-wsfed-saml2@4.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.0

url pkg:npm/passport-wsfed-saml2@4.6.1

purl pkg:npm/passport-wsfed-saml2@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2af8-wagn-1bch

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.1

url pkg:npm/passport-wsfed-saml2@4.6.3

purl pkg:npm/passport-wsfed-saml2@4.6.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-pd36-w65s-m3bn

vulnerability	VCID-v41f-jhng-wufz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/passport-wsfed-saml2@4.6.3

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46573

reference_id

reference_type

scores

value	0.00235
scoring_system	epss
scoring_elements	0.46753
published_at	2026-06-13T12:55:00Z

value	0.00235
scoring_system	epss
scoring_elements	0.46743
published_at	2026-06-12T12:55:00Z

value	0.00235
scoring_system	epss
scoring_elements	0.46598
published_at	2026-06-11T12:55:00Z

value	0.00329
scoring_system	epss
scoring_elements	0.56426
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46573

reference_url

https://github.com/auth0/passport-wsfed-saml2

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/auth0/passport-wsfed-saml2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46573

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46573

reference_url

https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181

reference_id

e5cf3cc2a53748207f7a81bfba9195c8efa94181

reference_type

scores

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/

url

https://github.com/auth0/passport-wsfed-saml2/commit/e5cf3cc2a53748207f7a81bfba9195c8efa94181

reference_url

https://github.com/advisories/GHSA-8gqj-226h-gm8r

reference_id

GHSA-8gqj-226h-gm8r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8gqj-226h-gm8r

reference_url

https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r

reference_id

GHSA-8gqj-226h-gm8r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-07T13:46:09Z/

url

https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-8gqj-226h-gm8r

Weaknesses

cwe_id	287
name	Improper Authentication
description	When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

cwe_id	290
name	Authentication Bypass by Spoofing
description	This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.6 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pd36-w65s-m3bn

Vulnerability Instance