CVE-2025-25292
published 2025-03-12CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.79%
99.1th percentile
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | < ruby-saml 1.11.0-1+deb11u2 (bullseye) | ruby-saml 1.11.0-1+deb11u2 (bullseye) |
| debian | ruby-saml | — | — |
| omniauth | omniauth_saml | < 1.10.6 | 1.10.6 |
| omniauth | omniauth_saml | >= 2.0.0 < 2.1.3 | 2.1.3 |
| omniauth | omniauth_saml | >= 2.2.0 < 2.2.3 | 2.2.3 |
| onelogin | ruby-saml | < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1+deb11u2 | 1.11.0-1+deb11u2 |
| onelogin | ruby-saml | >= 0 < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | >= 0 < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.1.2-1ubuntu1+esm2 | 1.1.2-1ubuntu1+esm2 |
| onelogin | ruby-saml | >= 0 < 1.7.2-1ubuntu0.1~esm2 | 1.7.2-1ubuntu0.1~esm2 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1ubuntu0.1+esm1 | 1.11.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.13.0-1ubuntu0.1+esm1 | 1.13.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.15.0-1ubuntu0.24.04.1+esm1 | 1.15.0-1ubuntu0.24.04.1+esm1 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| saml-toolkits | ruby-saml | < 1.18.0 | 1.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-25292 is a Signature Wrapping attack exploiting differential XML parsing between ReXML and Nokogiri in ruby-saml; detect by monitoring SAML authentication flows for malformed or structurally ambiguous XML documents that may be parsed differently by the two parsers ↗
- →An attacker must have access to a valid signed SAML document to exploit this; monitor for SAML SSO authentication attempts where a user authenticates as a different identity than the one in the signed assertion (impersonation indicator) ↗
- →For GitLab self-managed instances, audit SAML SSO authentication logs for unexpected account access or privilege escalation events, particularly across users sharing the same SAML Identity Provider ↗
- →Vulnerable ruby-saml versions are prior to 1.12.4 and 1.18.0; identify deployments running affected versions as a detection/triage signal ↗
- ·Enabling 2FA for all users on GitLab self-managed instances reduces exploitation risk but does NOT fully mitigate the vulnerability; MFA at the identity provider level specifically does not mitigate the problem ↗
- ·Disabling the SAML two-factor bypass option and requiring admin approval for auto-created users ('gitlab_rails[omniauth_block_auto_created_users] = true') are recommended temporary mitigations only until patching is possible ↗
- ·GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2 contain the fix; all versions before those remain vulnerable for self-managed installations requiring manual update ↗
- ·The vulnerability only affects deployments using SAML SSO authentication at the instance or group level; non-SAML authentication methods are not impacted ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
RubySAML vulnerabilities
vendor_ubuntu·2025-04-02·CVSS 9.8
CVE-2025-25292 [CRITICAL] RubySAML vulnerabilities
Title: RubySAML vulnerabilities
Summary: Several security issues were fixed in ruby-saml.
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-66567: ruby-saml - The ruby-saml library is for implementing the client side of a SAML authorizatio...
vendor_debian·2025·CVSS 9.3
CVE-2025-66567 [CRITICAL] CVE-2025-66567: ruby-saml - The ruby-saml library is for implementing the client side of a SAML authorizatio...
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
Scope: local
bookworm: resolved
bullseye: resolved
Debian
CVE-2025-25292: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
vendor_debian·2025·CVSS 9.3
CVE-2025-25292 [CRITICAL] CVE-2025-25292: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.11.0-1+deb11u2)
OSV
CVE-2025-66567: The ruby-saml library is for implementing the client side of a SAML authorization
osv·2025-12-09·CVSS 9.3
CVE-2025-66567 [CRITICAL] CVE-2025-66567: The ruby-saml library is for implementing the client side of a SAML authorization
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
GHSA
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
ghsa·2025-12-08·CVSS 9.3
CVE-2025-66567 [CRITICAL] CWE-347 Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
### Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
### Impact
That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
OSV
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
osv·2025-12-08·CVSS 9.3
CVE-2025-66567 [CRITICAL] Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
### Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
### Impact
That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
OSV
ruby-saml vulnerabilities
osv·2025-04-02·CVSS 9.3
CVE-2025-25291 [CRITICAL] ruby-saml vulnerabilities
ruby-saml vulnerabilities
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
GHSA
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
ghsa·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] CWE-347 omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
GHSA
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
ghsa·2025-03-12
CVE-2025-25292 [CRITICAL] CWE-347 Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
### Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential.
ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
### Impact
This issue may lead to authentication bypass.
OSV
CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
osv·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
OSV
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
osv·2025-03-12
CVE-2025-25292 [CRITICAL] Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
### Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential.
ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
### Impact
This issue may lead to authentication bypass.
OSV
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
osv·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
GitLab patches critical authentication bypass vulnerabilities
blogs_bleepingcomputer·2025-03-13·CVSS 9.3
[CRITICAL] GitLab patches critical authentication bypass vulnerabilities
## GitLab patches critical authentication bypass vulnerabilities
## Bill Toulas
GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws.
All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable.
GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, but users who maintain self-managed installations on their own infrastructure will need to apply the updates manually.
"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," warns the bulletin
Wiz
CVE-2025-66567 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-66567 [CRITICAL] CVE-2025-66567 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66567 :
Ruby vulnerability analysis and mitigation
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
Source : NVD
## 9.3
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EP
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialshttps://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvhttps://portswigger.net/research/saml-roulette-the-hacker-always-winshttps://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-samlhttps://lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlhttps://news.ycombinator.com/item?id=43374519https://security.netapp.com/advisory/ntap-20250314-0009/
2025-03-12
Published