In the latest 3.2.0, xml-encryption is currently using a version of node-forge with a CVE.
Bumping to 2.0.0 here https://github.com/node-saml/passport-saml/blob/v3.2.0/package.json#L57 would solve this following the work they've done under auth0/node-xml-encryption#94

CVE-2022-0122 (severity: High)

forge is vulnerable to URL Redirection to Untrusted Site

There it is #667 (this is for branch 3.x, I'll do the same on master later if no one else does it before)

@forty Patching the master branch as well would be great, thanks.

Thanks for the quick response - is there an ETA for when the updated 3.2.X version will be published to NPM?

I started working on this today, but ran into some speed bumps and am out of time for the moment. As logged in #668, I ran into an test failure. But that's not a blocker now that I've confirmed I get the same test failure before the change was made on 3.2.0.

Also, although I'm not sure if there are publicly visible, there are 4 or 5 other "dependabot alerts" for other dependencies that could use an update. So as long as we are doing a security-focused release, I'll check that we are up-to-date with other deps as well. Perhaps later tonight or tomorrow.

3.2.1 has been released.

@cjbarth I presume the commits here need to be ported to the 4.x branch.

This has been patched on master via #685