cbcvebase.
CVE-2025-25292
published 2025-03-12

CVE-2025-25292: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.79%
99.1th percentile
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianruby-saml< ruby-saml 1.11.0-1+deb11u2 (bullseye)ruby-saml 1.11.0-1+deb11u2 (bullseye)
debianruby-saml
omniauthomniauth_saml< 1.10.61.10.6
omniauthomniauth_saml>= 2.0.0 < 2.1.32.1.3
omniauthomniauth_saml>= 2.2.0 < 2.2.32.2.3
oneloginruby-saml< 1.18.01.18.0
oneloginruby-saml< 1.12.41.12.4
oneloginruby-saml>= 0 < 1.11.0-1+deb11u21.11.0-1+deb11u2
oneloginruby-saml>= 0 < 1.18.01.18.0
oneloginruby-saml>= 0 < 1.12.41.12.4
oneloginruby-saml>= 0 < 1.1.2-1ubuntu1+esm21.1.2-1ubuntu1+esm2
oneloginruby-saml>= 0 < 1.7.2-1ubuntu0.1~esm21.7.2-1ubuntu0.1~esm2
oneloginruby-saml>= 0 < 1.11.0-1ubuntu0.1+esm11.11.0-1ubuntu0.1+esm1
oneloginruby-saml>= 0 < 1.13.0-1ubuntu0.1+esm11.13.0-1ubuntu0.1+esm1
oneloginruby-saml>= 0 < 1.15.0-1ubuntu0.24.04.1+esm11.15.0-1ubuntu0.24.04.1+esm1
oneloginruby-saml>= 1.13.0 < 1.18.01.18.0
oneloginruby-saml>= 1.13.0 < 1.18.01.18.0
saml-toolkitsruby-saml< 1.18.01.18.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-25292 is a Signature Wrapping attack exploiting differential XML parsing between ReXML and Nokogiri in ruby-saml; detect by monitoring SAML authentication flows for malformed or structurally ambiguous XML documents that may be parsed differently by the two parsers
  • An attacker must have access to a valid signed SAML document to exploit this; monitor for SAML SSO authentication attempts where a user authenticates as a different identity than the one in the signed assertion (impersonation indicator)
  • For GitLab self-managed instances, audit SAML SSO authentication logs for unexpected account access or privilege escalation events, particularly across users sharing the same SAML Identity Provider
  • Vulnerable ruby-saml versions are prior to 1.12.4 and 1.18.0; identify deployments running affected versions as a detection/triage signal
  • ·Enabling 2FA for all users on GitLab self-managed instances reduces exploitation risk but does NOT fully mitigate the vulnerability; MFA at the identity provider level specifically does not mitigate the problem
  • ·Disabling the SAML two-factor bypass option and requiring admin approval for auto-created users ('gitlab_rails[omniauth_block_auto_created_users] = true') are recommended temporary mitigations only until patching is possible
  • ·GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2 contain the fix; all versions before those remain vulnerable for self-managed installations requiring manual update
  • ·The vulnerability only affects deployments using SAML SSO authentication at the instance or group level; non-SAML authentication methods are not impacted

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.