A vital safety vulnerability has been recognized within the ruby-saml library, a preferred device used for Single Signal-On (SSO) by way of Safety Assertion Markup Language (SAML) on the service supplier aspect.
The vulnerabilities, designated as CVE-2025-25291 and CVE-2025-25292, permit attackers to bypass authentication and conduct account takeover assaults in the event that they possess a sound signature created with the focused group’s key.
The ruby-saml library is extensively utilized in varied functions and merchandise, together with notable tasks like GitLab.
Whereas GitHub doesn’t at present use this library for authentication, the platform lately evaluated its adoption following the invention of vulnerabilities in its personal SAML implementation.
This choice to reassess ruby-saml was prompted after a big authentication bypass flaw was disclosed in October 2024 (CVE-2024-45409).
Background and Discovery
The vulnerabilities had been found throughout a complete safety overview by GitHub’s Safety Lab and bug bounty researchers.
The overview was initiated after GitHub determined to rethink utilizing ruby-saml as a result of beforehand disclosed vulnerabilities in their very own implementation.
The analysis recognized that ruby-saml makes use of two totally different XML parsers, REXML and Nokogiri, in the course of the signature verification course of.
This dual-parser setup launched a possible for parser differentials, the place REXML and Nokogiri could possibly be tricked into retrieving totally different signature parts, resulting in a potential authentication bypass.
The invention course of concerned a number of levels:
- Figuring out the Use of A number of Parsers: The code overview revealed that REXML and Nokogiri had been each used throughout signature verification.
- Assessing Exploitability: Researchers evaluated whether or not the parser differential could possibly be exploited.
- Discovering a Parser Differential: It was decided that the parsers may certainly be tricked into seeing totally different signatures.
- Making a Full Exploit: The ultimate step concerned leveraging the parser differential to create an authentication bypass exploit.
StatusDetail ingredient that’s solely seen to NokogiriCode Snippets Displaying Parser Differential
Here’s a take a look at how the signature parts are retrieved utilizing each REXML and Nokogiri:
# Retrieving the Signature Aspect with REXML
sig_element = REXML::XPath.first(
@working_copy,
"//ds:Signature",
{"ds"=>DSIG}
)
# Retrieving the Signature Aspect with Nokogiri
noko_sig_element = doc.at_xpath('//ds:Signature', 'ds' => DSIG)Within the validate_signature methodology of xml_security.rb, the signature worth is extracted from the sig_element obtained with REXML:
base64_signature = REXML::XPath.first(
sig_element,
"./ds:SignatureValue",
{"ds" => DSIG}
)
signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))In the meantime, the SignedInfo ingredient is extracted from the noko_sig_element obtained with Nokogiri:
noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)How SAML Responses Are Validated
SAML responses are used to move consumer data from the id supplier (IdP) to the service supplier (SP) in XML format.
The response features a signature that have to be verified to stop tampering. The verification entails canonicalizing and evaluating the SignedInfo and DigestValue parts.
Exploiting the Parser Differential
Ahacker1, a participant in GitHub’s bug bounty program, efficiently created an exploit by leveraging the parser differential.
This was adopted by one other exploit developed utilizing totally different strategies. Each exploits enabled an attacker to bypass authentication if they’d entry to a sound signature from the focused group.
This could possibly be obtained from beforehand signed assertions or responses from different customers and even publicly accessible metadata.
Instance of an XML Signature
An precise Signature ingredient from a SAML response may seem like this (namespace data eliminated for readability):
Su4v[..]
L8/i[..]
MIID[..]
Affect and Suggestions
Customers of the ruby-saml library are suggested to replace to model 1.18.0 as quickly as potential to mitigate these vulnerabilities.
Initiatives or libraries that make the most of ruby-saml, akin to omniauth-saml, must also replace to a model that references a hard and fast model of ruby-saml.
The invention of those vulnerabilities underscores the significance of thorough safety audits and bug bounty applications in figuring out and addressing vital points earlier than they are often exploited by malicious actors.
As cybersecurity threats evolve, sustaining up-to-date libraries and frameworks is essential to stopping exploitation and making certain the safety of each customers and organizations.
In abstract, the vulnerabilities in ruby-saml spotlight the continued challenges in securing SSO techniques but in addition reveal how collaborative efforts between researchers and firms can result in higher safety outcomes.
The safety group will proceed to watch these points and make sure that libraries like ruby-saml stay safe towards rising threats.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get stay Entry with ANY.RUN -> Begin Now for Free.