Security researchers have identified two critical vulnerabilities in the open-source ruby-saml library, which could potentially allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication mechanisms.
SAML is a standardized XML-based language used for exchanging authentication and authorization data between different parties, enabling features such as single sign-on (SSO), where individuals can use a single set of credentials to access multiple sites, services, and applications.
The discovered vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, have a CVSS score of 8.8 out of 10.0 and affect the following versions of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
The root cause of these vulnerabilities lies in the different ways REXML and Nokogiri parse XML, resulting in distinct document structures from the same input. This parser differential allows an attacker to carry out a Signature Wrapping attack, ultimately bypassing authentication. The vulnerabilities have been addressed in ruby-saml versions 1.12.4 and 1.18.0.
According to Microsoft-owned GitHub, which discovered and reported the flaws in November 2024, these vulnerabilities can be exploited by malicious actors to conduct account takeover attacks.
“An attacker who has obtained a valid signature created with the key used for validating SAML responses or assertions can use it to create their own SAML assertions, thereby logging in as any user,” explained Peter Stöckli, a researcher at GitHub Security Lab, in a post.
GitHub noted that the issue arises from a “disconnect” between hash verification and signature verification, allowing exploitation via parser differentials.
Versions 1.12.4 and 1.18.0 also fix a remote denial-of-service (DoS) vulnerability when handling compressed SAML responses (CVE-2025-25293, CVSS score: 7.7). Users are advised to update to the latest version to avoid potential threats.
These findings come nearly six months after GitLab and ruby-saml addressed another critical vulnerability (CVE-2024-45409, CVSS score: 10.0) that could also result in an authentication bypass.
