Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization data between parties, enabling features like single sign-on (SSO), which allows individuals to use a single set of credentials to access multiple sites, services, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, carry a CVSS score of 8.8 out of 10.0. They affect the following versions of the library –
- < 1.12.4
- >= 1.13.0, < 1.18.0
Both the shortcomings stem from how both REXML and Nokogiri parse XML differently, causing the two parsers to generate entirely different document structures from the same XML input
This parser differential allows an attacker to be able to execute a Signature Wrapping attack, leading to an authentication bypass. The vulnerabilities have been addressed in ruby-saml versions 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which discovered and reported the flaws in November 2024, said they could be abused by malicious actors to conduct account takeover attacks.
“Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user,” GitHub Security Lab researcher Peter Stöckli said in a post.
The Microsoft-owned subsidiary also noted that the issue boils down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation via a parser differential.
Versions 1.12.4 and 1.18.0 also plug a remote denial-of-service (DoS) flaw when handling compressed SAML responses (CVE-2025-25293, CVSS score: 7.7). Users are recommended to update to the latest version to safeguard against potential threats.
The findings come nearly six months after GitLab and ruby-saml moved to address another critical vulnerability (CVE-2024-45409, CVSS score: 10.0) that could also result in an authentication bypass.
