VDB
KO
MEDIUM 5.3

GHSA-5379-r78w-42h2

Unlimited transforms allowed for signed nodes

Details

### Impact A malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service. This would be an effective way to perform a denial-of-service attack.

### Patches This has been resolved in version 3.1.0. The resolution is to limit the number of allowable transforms to 2.

### References https://github.com/node-saml/passport-saml/pull/595

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / passport-saml
Introduced in: 0 Fixed in: 3.1.0
Fix npm install passport-saml@3.1.0

References