cbcvebase.
CVE-2025-25291
published 2025-03-12

CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.51%
97.0th percentile
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Affected

16 ranges
VendorProductVersion rangeFixed in
debianruby-saml< ruby-saml 1.11.0-1+deb11u2 (bullseye)ruby-saml 1.11.0-1+deb11u2 (bullseye)
omniauthomniauth_saml< 1.10.61.10.6
omniauthomniauth_saml>= 2.0.0 < 2.1.32.1.3
omniauthomniauth_saml>= 2.2.0 < 2.2.32.2.3
oneloginruby-saml< 1.12.41.12.4
oneloginruby-saml>= 0 < 1.11.0-1+deb11u21.11.0-1+deb11u2
oneloginruby-saml>= 0 < 1.12.41.12.4
oneloginruby-saml>= 0 < 1.1.2-1ubuntu1+esm21.1.2-1ubuntu1+esm2
oneloginruby-saml>= 0 < 1.7.2-1ubuntu0.1~esm21.7.2-1ubuntu0.1~esm2
oneloginruby-saml>= 0 < 1.11.0-1ubuntu0.1+esm11.11.0-1ubuntu0.1+esm1
oneloginruby-saml>= 0 < 1.13.0-1ubuntu0.1+esm11.13.0-1ubuntu0.1+esm1
oneloginruby-saml>= 0 < 1.15.0-1ubuntu0.24.04.1+esm11.15.0-1ubuntu0.24.04.1+esm1
oneloginruby-saml>= 1.13.0 < 1.18.01.18.0
oneloginruby-saml>= 1.13.0 < 1.18.01.18.0
saml-toolkitsruby-saml< 1.12.41.12.4
saml-toolkitsruby-saml

Detection & IOCsextracted from sources · hover to see the quote

url/users/auth/saml/callback
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)"; flow:established,to_server; http.uri; content:"/users/auth/saml/callback"; fast_pattern; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0,relative; base64_data; content:"|3c 21|DOCTYPE|20|"; content:"|3e 3c 21 2d 2d|"; distance:0; content:"|3c 21|ENTITY|20|"; distance:0; reference:url,portswigger.net/research/saml-roulette-the-hacker-always-wins; reference:cve,2025-25291; classtype:web-application-attack; sid:2065765; rev:1; metadata:affected_product Gitlab, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_13, cve CVE_2025_25291, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c 21|DOCTYPE|20| ... |3e 3c 21 2d 2d| ... |3c 21|ENTITY|20|
  • Exploit POST requests target the SAML callback endpoint /users/auth/saml/callback with a crafted SAMLResponse body containing a DOCTYPE declaration, an XML comment wrapper (-->), and an ENTITY declaration — hallmarks of the Signature Wrapping / parser differential attack.
  • The exploit payload prepends a DOCTYPE/ENTITY XML preamble and duplicates the original SAML response body, wrapping the second copy in an XML comment to exploit the ReXML vs. Nokogiri parser differential.
  • A successful authentication bypass results in an HTTP 302 redirect response containing the Set-Cookie header known_sign_in; monitor for this combination on the SAML callback endpoint.
  • Shodan/FOFA fingerprints for exposed GitLab instances that may be targeted: HTTP title 'gitlab', HTML body containing 'gitlab enterprise edition' or 'gitlab-ci.yml'.
  • The attacker must possess a valid signed SAML document from the target IdP; exploitation is limited to users within the same SAML Identity Provider environment.
  • ·Vulnerability only affects GitLab instances using SAML SSO at the instance or group level; instances not configured for SAML are not exposed.
  • ·Enabling mandatory 2FA for all users on the self-managed instance reduces risk but does NOT fully mitigate the vulnerability; MFA enforced at the IdP level does not mitigate the problem.
  • ·Auto-created user blocking ('omniauth_block_auto_created_users = true') and disabling the SAML two-factor bypass option are temporary mitigations only, not a fix.
  • ·The Snort/ET rule requires TLS decryption to be effective, as noted in the rule metadata.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.