A vulnerability in an open-source library, samlify, which Retool uses for SAML login implementation, allowed for account takeovers through forged SAML identity provider (IdP) assertions. In the worst case, an external threat actor could forge arbitrary assertions for a SAML IdP, potentially leading to full account takeovers within an organization. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue. This exploit requires no user interaction and an attacker could gain unauthorized access to an organization with escalated privileges.
| Field | Value |
|---|
| Vulnerability Type | Improper Verification of Cryptographic Signature |
| Package | samlify |
| Affected Component | Retool organizations using SAML SSO |
| Attack Type | Remote |
| Impact | Account Takeover |
| Reference | https://nvd.nist.gov/vuln/detail/CVE-2025-47949 |
| Discoverer | Alexander Tan (ahacker1) |
Fixed release versions
| Branch | Versions |
|---|
| Edge | 3.207.0-edge |
| Stable | 3.196.2-stable |
| Stable | 3.148.13-stable |
| Stable | 3.114.25-stable |
Affected release versions
| Release branch | Release versions |
|---|
| Edge | 3.111.0 to 3.203.0 |
| 3.196-stable | 3.196.0 to 3.196.1 |
| 3.148-stable | 3.148.0 to 3.148.11 |
| 3.114-stable | 3.114.0 to 3.114.23 |
| < 3.111.0 |