8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39299

CVE-2022-39299: Signature bypass via multiple root elements

Impact

A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.

Patches

Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.

Workarounds

Disable SAML authentication.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open a discussion in the node-saml repo

Credits

Felix Wilhelm of Google Project Zero

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39299

CVE-2022-39299:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
passport-saml	npm	< 3.2.2	3.2.2
node-saml	npm	< 4.0.0-beta.5	4.0.0-beta.5
@node-saml/node-saml	npm	< 4.0.0-beta.5	4.0.0-beta.5
@node-saml/passport-saml	npm	< 4.0.0-beta.3	4.0.0-beta.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper XML signature validation that didn't enforce a single root element. The commit diff shows the patch added a check for exactly one root element (filtering childNodes.length === 1) in the signature validation flow. The vulnerable version's validateSignature() function in saml.ts only checked the documentElement's signature without verifying the XML structure integrity, enabling signature bypass via multiple roots. The CWE-347 (Improper Signature Verification) directly maps to this function's pre-patch behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39299: Signature bypass via multiple root elements

Impact

Patches

Workarounds

References

For more information

Credits

CVE-2022-39299:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.1

8.1

CVE-2022-39299: Signature bypass via multiple root elements

Impact

Patches

Workarounds

References

For more information

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI