CVE-2025-25291: GHSL-2024-329_GHSL-2024-330: Authentication bypasses in ruby-saml - CVE-2025-25291, CVE-2025-25292

Published Mar 12, 2025
·
Updated

Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact This issue may lead to authentication bypass.

Other sources

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

NVD

TitleSeverityCVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)CriticalCVE-2025-27407 (third party gem graphql)HighDenial of Service Due to Inefficient Processing of Untrusted InputMediumCredentials disclosed when repository mirroring failsMediumDenial of Service Vulnerability in GitLab Approval Rules due to Unbounded FieldMediumInternal Notes in Merge Requests Are Emailed to Non-Members Upon Review SubmissionMediumMaintainer can inject shell code in Google integrationsLowGuest with custom Admin group member permissions can approve the users invitation despite user capsLow

GitLab

Two different authentication bypasses were found in ruby-saml:

GitHub Security Lab

Affected Software

10 affected componentsFixes available
ruby-saml ruby-saml<1.12.4, <1.18.0
rubygems/ruby-saml>=1.13.0<1.18.0
1.18.0
rubygems/ruby-saml<1.12.4
1.12.4
debian/ruby-saml<=1.11.0-1, <=1.13.0-1+deb12u1, <=1.17.0-1
1.11.0-1+deb11u2
OmniAuth Omniauth Saml Ruby<1.10.6
OmniAuth Omniauth Saml Ruby>=2.0.0<2.1.3
OmniAuth Omniauth Saml Ruby>=2.2.0<2.2.3
onelogin Ruby-SAML<1.12.4
onelogin Ruby-SAML>=1.13.0<1.18.0
NetApp Storagegrid

Remediation

Patch Available

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97

Event History

Mar 12, 2025
CVE Published
via MITRE·08:16 PM
Data Sourced
via MITRE·08:16 PM
DescriptionWeakness
Advisory Published
via GitHub·08:20 PM
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
RemedyAffected Software
Mar 13, 2025
News Published
via BleepingComputer·04:13 PM
News Published
via BleepingComputer·04:14 PM
Apr 6, 2025
Data Sourced
via Ubuntu·10:24 PM
RemedyDescriptionSeverityAffected Software
Sep 11, 2025
Advisory Published
via GitHub Security Lab·12:00 AM
Data Sourced
via GitHub Security Lab·12:00 AM
DescriptionAffected Software
Apr 21, 2026
Data Sourced
via GitLab·10:58 PM
Description

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-25291?

The severity of CVE-2025-25291 is high due to the potential for authentication bypass.

2

How do I fix CVE-2025-25291?

To fix CVE-2025-25291, upgrade ruby-saml to versions 1.12.4 or 1.18.0 or later.

3

What product is affected by CVE-2025-25291?

CVE-2025-25291 affects the ruby-saml library.

4

What versions of ruby-saml are impacted by CVE-2025-25291?

ruby-saml versions prior to 1.12.4 and between 1.13.0 and 1.18.0 are impacted by CVE-2025-25291.

5

How does CVE-2025-25291 exploit a parser differential?

CVE-2025-25291 exploits the difference in XML parsing between ReXML and Nokogiri, leading to different document structures.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203