High-Severity Vulnerabilities Discovered in Ruby-SAML Library, Posing Authentication Risks
Two significant security vulnerabilities have been identified in the open-source ruby-saml library, which poses a risk of allowing malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections. The discovered vulnerabilities are classified as CVE-2025-25291 and CVE-2025-25292, carrying a high CVSS score of 8.8 out of 10. These flaws affect versions of the ruby-saml library prior to 1.12.4 and those ranging from 1.13.0 to just below 1.18.0.
SAML serves as an XML-based markup language and an open standard for exchanging authentication and authorization data among entities. This system enables features such as Single Sign-On (SSO), allowing users to access multiple applications and services with a single set of credentials. However, the vulnerabilities arise from discrepancies in how XML is parsed by the REXML and Nokogiri libraries. This parsing inconsistency can lead to a Signature Wrapping attack, resulting in authentication bypass for users.
Microsoft-owned GitHub discovered and reported these weaknesses in November 2024. It has been noted that an attacker possessing a single valid signature, corresponding to the key that authenticates SAML responses or assertions for the targeted organization, could potentially construct malicious SAML assertions and impersonate any user within the system. GitHub Security Lab researcher Peter Stöckli elaborated that exploitation would take advantage of a “disconnect” between how the hash and signature verification processes interact, further facilitating exploitation through parser differentials.
In addition to the authentication vulnerabilities, versions 1.12.4 and 1.18.0 of the ruby-saml library also address another flaw that could allow remote denial-of-service (DoS) attacks when processing compressed SAML responses, identified as CVE-2025-25293 with a CVSS score of 7.7. Users are strongly advised to update to the latest versions to mitigate these security risks.
The findings follow closely on the heels of a prior critical vulnerability (CVE-2024-45409, CVSS score: 10.0) that had already raised alarms six months prior, prompting actions from both GitHub and ruby-saml to manage and rectify the risks posed.
To further tackle the identified vulnerabilities, GitLab has issued updates corresponding to CVE-2025-25291 and CVE-2025-25292 for both Community Edition (CE) and Enterprise Edition (EE) platforms. These updates target specific conditions wherein an attacker, equipped with a valid signed SAML document from the Identity Provider (IdP), could authenticate as another user within the SAML environment. However, exploiting this vulnerability remains contingent upon the attacker already having compromised a valid user account.
The situation underscores the critical need for organizations to maintain vigilance regarding SAML-related authentication methods and to address any vulnerabilities that may leave them open to exploitation. As cyber threats continue to evolve, the application of frameworks like the MITRE ATT&CK Matrix is essential for understanding the tactics and techniques that adversaries may employ, including initial access, credential access, and exploitation of vulnerabilities.
In summary, the ruby-saml library vulnerabilities highlight the importance of timely updates and robust security practices in safeguarding authentication processes. Business owners must actively monitor such developments to protect their organizations against potential breaches.
For more updates on cybersecurity threats and vulnerabilities, professionals are encouraged to follow dedicated news sources on platforms like Google News, Twitter, and LinkedIn.
