CVE-2025-29774 and CVE-2025-29775 (SAMLStorm)
Disclosure for CVE-2025-29774 and CVE-2025-29775 (SAMLStorm).
A vulnerability in an open-source library, xml-crypto, which Retool uses for SAML login implementation, allowed for account takeovers through forged SAML identity provider (IdP) assertions. In the worst case, an external threat actor could forge arbitrary assertions for a SAML IdP, potentially leading to full account takeovers within an organization.
This exploit requires no user interaction and an attacker could gain unauthorized access to an organization with escalated privileges. More information about these vulnerabilities is available on the WorkOS website.
| Field | Value |
|---|---|
| Vulnerability Type | Improper Verification of Cryptographic Signature |
| Package | xml-crypto |
| Affected Component | Retool organizations using SAML SSO |
| Attack Type | Remote |
| Impact | Account Takeover |
| Reference | https://workos.com/blog/samlstorm |
| Discoverer | Alexander Tan (ahacker1) |
Fixed release versions
| Branch | Versions |
|---|---|
| Edge | 3.170.0-edge |
| Stable | 3.148.3-stable |
| Stable | 3.114.16-stable |
Affected release versions
| Release branch | Release versions |
|---|---|
| Edge | 3.149.0 to 3.168.0 |
| 3.148-stable | 3.148.0 to 3.148.2 |
| Edge | 3.111.0 to 3.144.0 |
| 3.114-stable | 3.114.0 to 3.114.15 |
| < 3.111.0 |