CVE-2025-25292: GHSL-2024-329_GHSL-2024-330: Authentication bypasses in ruby-saml - CVE-2025-25291, CVE-2025-25292

Published Mar 12, 2025
·
Updated

Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact This issue may lead to authentication bypass.

Other sources

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

Debian

Two different authentication bypasses were found in ruby-saml:

GitHub Security Lab

Affected Software

10 affected componentsFixes available
Ruby ruby-saml<1.12.4, <1.18.0
rubygems/ruby-saml<1.12.4
1.12.4
rubygems/ruby-saml>=1.13.0<1.18.0
1.18.0
debian/ruby-saml<=1.11.0-1, <=1.13.0-1+deb12u1, <=1.17.0-1
1.11.0-1+deb11u2
OmniAuth Omniauth Saml Ruby<1.10.6
OmniAuth Omniauth Saml Ruby>=2.0.0<2.1.3
OmniAuth Omniauth Saml Ruby>=2.2.0<2.2.3
onelogin Ruby-SAML<1.12.4
onelogin Ruby-SAML>=1.13.0<1.18.0
NetApp Storagegrid

Remediation

Patch Available

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97

Event History

Mar 12, 2025
CVE Published
via MITRE·08:53 PM
Data Sourced
via MITRE·08:53 PM
DescriptionWeakness
Advisory Published
via GitHub·08:54 PM
Data Sourced
via GitHub·08:54 PM
DescriptionSeverityWeaknessAffected Software
Data Sourced
via NVD·09:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 13, 2025
News Published
via BleepingComputer·04:13 PM
News Published
via BleepingComputer·04:14 PM
Apr 10, 2025
Data Sourced
via Ubuntu·10:25 PM
RemedyDescriptionSeverityAffected Software
Sep 11, 2025
Advisory Published
via GitHub Security Lab·12:00 AM
Data Sourced
via GitHub Security Lab·12:00 AM
DescriptionAffected Software

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-25292?

CVE-2025-25292 is considered a critical severity vulnerability due to its ability to allow authentication bypass in ruby-saml.

2

How do I fix CVE-2025-25292?

To fix CVE-2025-25292, users should upgrade ruby-saml to version 1.12.4 or version 1.18.0.

3

What software versions are affected by CVE-2025-25292?

CVE-2025-25292 affects ruby-saml versions prior to 1.12.4 and between 1.13.0 and 1.18.0.

4

What kind of attack can be executed due to CVE-2025-25292?

CVE-2025-25292 allows attackers to exploit an authentication bypass, potentially enabling unauthorized access to systems.

5

How was CVE-2025-25292 discovered?

CVE-2025-25292 was discovered due to differential behavior in XML parsing between ReXML and Nokogiri in ruby-saml.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203