CVE-2025-25291
published 2025-03-12CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.51%
97.0th percentile
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | < ruby-saml 1.11.0-1+deb11u2 (bullseye) | ruby-saml 1.11.0-1+deb11u2 (bullseye) |
| omniauth | omniauth_saml | < 1.10.6 | 1.10.6 |
| omniauth | omniauth_saml | >= 2.0.0 < 2.1.3 | 2.1.3 |
| omniauth | omniauth_saml | >= 2.2.0 < 2.2.3 | 2.2.3 |
| onelogin | ruby-saml | < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1+deb11u2 | 1.11.0-1+deb11u2 |
| onelogin | ruby-saml | >= 0 < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.1.2-1ubuntu1+esm2 | 1.1.2-1ubuntu1+esm2 |
| onelogin | ruby-saml | >= 0 < 1.7.2-1ubuntu0.1~esm2 | 1.7.2-1ubuntu0.1~esm2 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1ubuntu0.1+esm1 | 1.11.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.13.0-1ubuntu0.1+esm1 | 1.13.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.15.0-1ubuntu0.24.04.1+esm1 | 1.15.0-1ubuntu0.24.04.1+esm1 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| saml-toolkits | ruby-saml | < 1.12.4 | 1.12.4 |
| saml-toolkits | ruby-saml | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/users/auth/saml/callback
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)"; flow:established,to_server; http.uri; content:"/users/auth/saml/callback"; fast_pattern; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0,relative; base64_data; content:"|3c 21|DOCTYPE|20|"; content:"|3e 3c 21 2d 2d|"; distance:0; content:"|3c 21|ENTITY|20|"; distance:0; reference:url,portswigger.net/research/saml-roulette-the-hacker-always-wins; reference:cve,2025-25291; classtype:web-application-attack; sid:2065765; rev:1; metadata:affected_product Gitlab, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_13, cve CVE_2025_25291, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c 21|DOCTYPE|20| ... |3e 3c 21 2d 2d| ... |3c 21|ENTITY|20|
- →Exploit POST requests target the SAML callback endpoint /users/auth/saml/callback with a crafted SAMLResponse body containing a DOCTYPE declaration, an XML comment wrapper (-->), and an ENTITY declaration — hallmarks of the Signature Wrapping / parser differential attack.
- →The exploit payload prepends a DOCTYPE/ENTITY XML preamble and duplicates the original SAML response body, wrapping the second copy in an XML comment to exploit the ReXML vs. Nokogiri parser differential.
- →A successful authentication bypass results in an HTTP 302 redirect response containing the Set-Cookie header known_sign_in; monitor for this combination on the SAML callback endpoint.
- →Shodan/FOFA fingerprints for exposed GitLab instances that may be targeted: HTTP title 'gitlab', HTML body containing 'gitlab enterprise edition' or 'gitlab-ci.yml'.
- →The attacker must possess a valid signed SAML document from the target IdP; exploitation is limited to users within the same SAML Identity Provider environment. ↗
- ·Vulnerability only affects GitLab instances using SAML SSO at the instance or group level; instances not configured for SAML are not exposed. ↗
- ·Enabling mandatory 2FA for all users on the self-managed instance reduces risk but does NOT fully mitigate the vulnerability; MFA enforced at the IdP level does not mitigate the problem. ↗
- ·Auto-created user blocking ('omniauth_block_auto_created_users = true') and disabling the SAML two-factor bypass option are temporary mitigations only, not a fix. ↗
- ·The Snort/ET rule requires TLS decryption to be effective, as noted in the rule metadata.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
RubySAML vulnerabilities
vendor_ubuntu·2025-04-02·CVSS 9.8
CVE-2025-25292 [CRITICAL] RubySAML vulnerabilities
Title: RubySAML vulnerabilities
Summary: Several security issues were fixed in ruby-saml.
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-25291: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
vendor_debian·2025·CVSS 9.3
CVE-2025-25291 [CRITICAL] CVE-2025-25291: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.11.0-1+deb11u2)
OSV
ruby-saml vulnerabilities
osv·2025-04-02·CVSS 9.3
CVE-2025-25291 [CRITICAL] ruby-saml vulnerabilities
ruby-saml vulnerabilities
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
GHSA
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
ghsa·2025-03-12
CVE-2025-25291 [CRITICAL] CWE-347 Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
### Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential.
ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
### Impact
This issue may lead to authentication bypass.
GHSA
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
ghsa·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] CWE-347 omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
OSV
CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
osv·2025-03-12·CVSS 9.3
CVE-2025-25291 [CRITICAL] CVE-2025-25291: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
OSV
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
osv·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
OSV
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
osv·2025-03-12
CVE-2025-25291 [CRITICAL] Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
### Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential.
ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
### Impact
This issue may lead to authentication bypass.
Suricata
ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)
suricata·2025-11-13·CVSS 9.3
CVE-2025-25291 [CRITICAL] ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)
ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GitLab SAML Authentication Bypass (CVE-2025-25291)"; flow:established,to_server; http.uri; content:"/users/auth/saml/callback"; fast_pattern; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0,relative; base64_data; content:"|3c 21|DOCTYPE|20|"; content:"|3e 3c 21 2d 2d|"; distance:0; content:"|3c 21|ENTITY|20|"; distance:0; reference:url,portswigger.net/research/saml-roulette-the-hacker-always-wins; reference:cve,2025-25291; classtype:web-application-attack; sid:2065765; rev:1; metadata:affected_product Gitlab, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_13, cve CVE_2025_25291, deployment Perimeter, deployment I
Nuclei
GitLab - SAML Authentication Bypass
nuclei·CVSS 9.3
CVE-2025-25291 [CRITICAL] GitLab - SAML Authentication Bypass
GitLab - SAML Authentication Bypass
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Template:
id: CVE-2025-25291
info:
name: GitLab - SAML Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialshttps://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jmhttps://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvhttps://portswigger.net/research/saml-roulette-the-hacker-always-winshttps://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-samlhttps://lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlhttps://news.ycombinator.com/item?id=43374519https://security.netapp.com/advisory/ntap-20250314-0010/
2025-03-12
Published