VSA-2025-003: Xen Orchestra SAML plugin Vulnerability
| Published | Updated | Severity | CVSS 3.1 | Affected products |
|---|---|---|---|---|
| 2025-11-04 | 2025-11-04 | 🔴 Important | 10.0 | - Xen Orchestra prior to 5.111.1 with plugin Auth SAML |
One CVE with high upstream has been found by Dependabot. For Vates products, we classify the impact as Important, since XenOrchestra is not intended to be exposed publicly, and it requires a complex attack to implement, in a specific case. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
A vulnerability was found inside Passport-SAML 3.2.4 and indicated by Dependabot, an old package used for SAML authentication plugin. We upgraded Passport-SAML and added Node-SAML dependency. However, we directly upgraded to latest 5.1.0 as 5.0.1 was also linked to a known vulnerability
Impact​
Production environments​
It only affects people using auth-saml plugin. The upgrade is retrocompatible even with the config changes needed in Passport-SAML.
Development environments​
It only affects people using auth-saml plugin. The upgrade is retrocompatible even with the config changes needed in Passport-SAML.
Affected Versions​
- Xen Orchestra Appliance (XOA): Up to (excluding) 5.112 .
- XO from source (production deployments): Up to (exluding) 86f3096.
- XO development environments: Up to (exluding) 86f3096.
Mitigation​
For those who cannot update XenOrchestra, we recommend choosing another authentication mechanism such as LDAP or OIDC and disabling the auth-saml plugin.
Resolution​
As of 2025-11-04, all dependencies have been updated in the official Xen Orchestra GitHub repository. Users are protected moving forward.
Credits​
Thanks to Github Dependabot for its regular analysis.