Two high-severity security flaws have been disclosed within the open-source ruby-saml library that might permit malicious actors to bypass Safety Assertion Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization knowledge between events, enabling options like single sign-on (SSO), which permits people to make use of a single set of credentials to entry a number of websites, companies, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, carry a CVSS rating of 8.8 out of 10.0. They have an effect on the next variations of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
Each the shortcomings stem from how each REXML and Nokogiri parse XML in another way, inflicting the 2 parsers to generate fully totally different doc buildings from the identical XML enter
This parser differential permits an attacker to have the ability to execute a Signature Wrapping assault, resulting in an authentication bypass. The vulnerabilities have been addressed in ruby-saml variations 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which found and reported the failings in November 2024, mentioned they could possibly be abused by malicious actors to conduct account takeover assaults.
“Attackers who’re in possession of a single legitimate signature that was created with the important thing used to validate SAML responses or assertions of the focused group can use it to assemble SAML assertions themselves and are in flip in a position to log in as any consumer,” GitHub Safety Lab researcher Peter Stöckli mentioned in a put up.
The Microsoft-owned subsidiary additionally famous that the difficulty boils right down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation through a parser differential.
Variations 1.12.4 and 1.18.0 additionally plug a distant denial-of-service (DoS) flaw when dealing with compressed SAML responses (CVE-2025-25293, CVSS rating: 7.7). Customers are really useful to replace to the newest model to safeguard in opposition to potential threats.
The findings come almost six months after GitLab and ruby-saml moved to deal with one other vital vulnerability (CVE-2024-45409, CVSS rating: 10.0) that might additionally lead to an authentication bypass.
