← back
CVE-2025-25291

ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)

CVSS 9.3 CRITICALEPSS 19.5%CWE-347CWE-436
In short

Ruby-saml has a critical flaw where XML parsers handle SAML authentication messages differently, allowing attackers to bypass login security. An attacker can manipulate the XML structure to forge valid authentication without correct credentials.

Technical detail

CVE-2025-25291 exploits parser differential behavior between ReXML and Nokogiri to execute Signature Wrapping attacks against SAML assertions. The vulnerability allows an unauthenticated attacker to craft malicious XML DOCTYPE declarations that are parsed differently by the two engines, resulting in signature validation bypass and authentication circumvention in ruby-saml versions before 1.12.4 and 1.18.0.

Summary generated and translated by AI from the official description.
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
SAML-Toolkits · ruby-saml

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialshttps://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvhttps://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jmhttps://lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlhttps://news.ycombinator.com/item?id=43374519https://portswigger.net/research/saml-roulette-the-hacker-always-winshttps://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml