> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes the security update for the passport-wsfed-saml2 Library.

# CVE-2022-23505: Security Update for passport-wsfed-saml2 Library

**Published**: Dec 12, 2022

CVE number: CVE-2022-23505

### Overview

A remote attacker can bypass WSFed authentication on a website using `passport-wsfed-saml2`. A successful attack requires that the attacker is in possession of an arbitrary <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IDP">IDP</Tooltip> signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.

### Am I affected?

You are affected if you are using WSFed protocol with the `passport-wsfed-saml2` library versions  `<4.6.3`.

SAML2 protocol is not affected.

### How to fix that?

Upgrade to version `>=4.6.3`

### Will this update impact my users?

The fix provided in the patch will not affect your users.