The open source Ruby-SAML library discloses two high-strength security flaws that allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protection.
SAML is an XML-based markup language, an open standard used to exchange authentication and authorization data between parties, enabling features such as single sign-on (SSO). This allows individuals to access multiple sites, services, and apps using a single credential.
The vulnerabilities tracked as CVE-2025-25291 and CVE-2025-25292 have a CVSS score of 8.8 out of 10.0. They affect the next version of the library –
<1.12.4> = 1.13.0, <1.18.0
The drawback of both is that both rexml and nokogiri xml are different ways, with two parsers generating completely different document structures from the same XML input
This parser differentiation allows the attacker to perform signature wrapping attacks, leading to authentication bypass. The vulnerability is addressed in Ruby-SAML versions 1.12.4 and 1.18.0.
Microsoft-owned Github, which discovered and reported the flaw in November 2024, said it could be abused by malicious actors to carry out account takeover attacks.
“Attackers who own a single valid signature created with the key used to validate SAML responses or target organizational assertions can use it to construct the SAML assertion itself and log in as any user.”
The Microsoft-owned subsidiary also noted that the issue was summarised in a “cutoff” between hash verification and signature verification, opening the door to exploitation through parser differentiation.
Versions 1.12.4 and 1.18.0 also plug in remote denial of service (DOS) defects when processing compressed SAML responses (CVE-2025-25293, CVSS score: 7.7). Users are advised to update to the latest version to protect against potential threats.
The findings arise almost six months after Gitlab and Ruby-Saml moved to address another important vulnerability (CVE-2024-45409, CVSS score: 10.0).
Source link
