← back
CVE-2025-25292

Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)

CVSS 9.3 CRITICALEPSS 63.8%CWE-347CWE-436
In short

Ruby SAML has a flaw where different XML parsers handle namespaces differently, allowing attackers to forge valid authentication tokens and bypass login protections. This is a critical vulnerability that can give unauthorized access to protected systems.

Technical detail

The vulnerability stems from parser differential behavior between ReXML and Nokogiri in namespace handling, enabling Signature Wrapping attacks (CWE-347) where attackers craft malicious SAML responses that validate against one parser but execute differently in another. No special privileges required; the attack vector is network-based and affects the SAML authentication flow prior to versions 1.12.4 and 1.18.0.

Summary generated and translated by AI from the official description.
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
SAML-Toolkits · ruby-saml

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialshttps://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvhttps://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2https://lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlhttps://news.ycombinator.com/item?id=43374519https://portswigger.net/research/saml-roulette-the-hacker-always-winshttps://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml