Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


An elevation of privilege vulnerability exists when the Azure Active Directory Passport library (Passport-Azure-AD for Node.js) incorrectly validates ID tokens.

An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory.

Frequently asked questions about this vulnerability

Q1: I use Azure Active Directory. Am I affected?

A1: This vulnerability only affects web applications that use the Passport-Azure-AD for Node.js library to take advantage of Azure AD for authentication. Standard Azure AD authentication that does not use the Passport-Azure-AD for Node.js library is not affected. The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library.

Q2: What is Passport-Azure-AD for Node.js?

A2: Passport-Azure-AD for Node.js is a collection of Passport strategies that help you integrate your node applications with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization. These providers let you use the many features of Passport-Azure-AD for Node.js, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.

Update information

Developers who use the Passport Azure AD Node.js library must download the latest version of the Passport-Azure-AD for Node.js library, and then update their applications. The technical details are published in our GitHub repository.

Developers who use version 1.x must update to version 1.4.6.

Developers who use version 2.0 must update to version 2.0.1.


Microsoft has confirmed that this is a problem in the Passport-Azure-AD for Node.js library.


CVE number: 2016-7191

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!