Two high-severity safety flaws have been disclosed within the open-source ruby-saml library that would permit malicious actors to bypass Safety Assertion Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization information between events, enabling options like single sign-on (SSO), which permits people to make use of a single set of credentials to entry a number of websites, companies, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, carry a CVSS rating of 8.8 out of 10.0. They have an effect on the next variations of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
Each the shortcomings stem from how each REXML and Nokogiri parse XML in a different way, inflicting the 2 parsers to generate totally completely different doc constructions from the identical XML enter
This parser differential permits an attacker to have the ability to execute a Signature Wrapping assault, resulting in an authentication bypass. The vulnerabilities have been addressed in ruby-saml variations 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which found and reported the issues in November 2024, stated they may very well be abused by malicious actors to conduct account takeover assaults.
“Attackers who’re in possession of a single legitimate signature that was created with the important thing used to validate SAML responses or assertions of the focused group can use it to assemble SAML assertions themselves and are in flip in a position to log in as any person,” GitHub Safety Lab researcher Peter Stöckli stated in a submit.
The Microsoft-owned subsidiary additionally famous that the problem boils right down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation by way of a parser differential.
Variations 1.12.4 and 1.18.0 additionally plug a distant denial-of-service (DoS) flaw when dealing with compressed SAML responses (CVE-2025-25293, CVSS rating: 7.7). Customers are really useful to replace to the newest model to safeguard in opposition to potential threats.
The findings come almost six months after GitLab and ruby-saml moved to handle one other essential vulnerability (CVE-2024-45409, CVSS rating: 10.0) that would additionally end in an authentication bypass.
GitLab Releases Updates
GitLab has launched updates to handle CVE-2025-25291 and CVE-2025-25292 with Neighborhood Version (CE) and Enterprise Version (EE) variations 17.9.2, 17.8.5, and 17.7.7.
“On GitLab CE/EE situations utilizing SAML authentication, below sure circumstances, an attacker with entry to a sound signed SAML doc from the IdP may authenticate as one other legitimate person inside the setting’s SAML IdP,” GitLab stated.
It, nevertheless, identified {that a} profitable exploitation banks on an attacker having already compromised a sound person account with a view to pull off the authentication bypass.
