The SAMLStorm vulnerability in xml-crypto and Node.js libraries allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. This flaw enables full account takeovers across organizations relying on SAML-based single sign-on (SSO). WorkOS immediately patched the vulnerability for all customers within 24 hours, ensuring no WorkOS-integrated applications remained exposed. The vulnerability affects libraries with over 500k weekly downloads, including @node-saml, samlify, and others. To protect themselves, companies should update to the latest version of xml-crypto and review their SAML logs for signs of exploitation. Long-term recommendations include regularly reviewing exposure to protected applications, choosing vendors that support security audit logging capabilities, and ensuring tenants are properly isolated with principle of least privilege applied to IdP's. WorkOS rapidly responded to the issue, patching it within 24 hours and disclosing its findings publicly.