Two high-severity safety flaws have been disclosed within the open-source ruby-saml library that might permit malicious actors to bypass Safety Assertion Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization information between events, enabling options like single sign-on (SSO), which permits people to make use of a single set of credentials to entry a number of websites, companies, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, carry a CVSS rating of 8.8 out of 10.0. They have an effect on the next variations of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
Each the shortcomings stem from how each REXML and Nokogiri parse XML in another way, inflicting the 2 parsers to generate solely completely different doc buildings from the identical XML enter
This parser differential permits an attacker to have the ability to execute a Signature Wrapping assault, resulting in an authentication bypass. The vulnerabilities have been addressed in ruby-saml variations 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which found and reported the issues in November 2024, stated they may very well be abused by malicious actors to conduct account takeover assaults.
“Attackers who’re in possession of a single legitimate signature that was created with the important thing used to validate SAML responses or assertions of the focused group can use it to assemble SAML assertions themselves and are in flip capable of log in as any person,” GitHub Safety Lab researcher Peter Stöckli stated in a publish.
The Microsoft-owned subsidiary additionally famous that the difficulty boils all the way down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation through a parser differential.
Variations 1.12.4 and 1.18.0 additionally plug a distant denial-of-service (DoS) flaw when dealing with compressed SAML responses (CVE-2025-25293, CVSS rating: 7.7). Customers are really helpful to replace to the newest model to safeguard towards potential threats.
The findings come almost six months after GitLab and ruby-saml moved to deal with one other crucial vulnerability (CVE-2024-45409, CVSS rating: 10.0) that might additionally end in an authentication bypass.