Full Report
Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections. SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization data between parties, enabling features like single sign-on (SSO), which allows
Analysis Summary
# Vulnerability: ruby-saml Signature Wrapping Leading to Authentication Bypass
## CVE Details
- CVE ID: CVE-2025-25291, CVE-2025-25292
- CVSS Score: 8.8 (High)
- CWE: [Not explicitly stated, implied XML Signature Validation Bypass]
## Affected Systems
- Products: open-source ruby-saml library
- Versions: `>= 1.13.0` and `< 1.18.0` (Note: The fix mentions versions 1.12.4 and 1.18.0 address the issues, suggesting versions between 1.12.4 and 1.18.0 might also be affected depending on the exact branching).
- Configurations: Systems using ruby-saml for SAML authentication/SSO.
## Vulnerability Description
The vulnerabilities stem from inconsistencies in how the REXML and Nokogiri XML parsers process the same XML input, resulting in different document structures. This "parser differential" allows an attacker to execute a **Signature Wrapping attack**. If an attacker possesses a single valid signature created with the key used to validate SAML responses for the targeted organization, they can forge malicious SAML assertions, leading to authentication bypass and account takeover for any user.
## Exploitation
- Status: Implies potential for exploitation ("could be abused") but not explicitly stated as "Exploited in the wild." PoC is implied by the nature of the attack (Signature Wrapping).
- Complexity: Medium (Requires possession of a valid signature key).
- Attack Vector: Network (Via crafting malicious SAML responses/assertions).
## Impact
- Confidentiality: High (Account Takeover allows access to user data).
- Integrity: High (Unauthorized actions can be performed as any user).
- Availability: Moderate (Potential for denial of service if attacks are extensive, though the main impact is takeover).
## Remediation
### Patches
The vulnerabilities (CVE-2025-25291 and CVE-2025-25292) are addressed in:
- ruby-saml version **1.12.4**
- ruby-saml version **1.18.0** (Recommended update)
*Note: The article also mentions CVE-2025-25293 (DoS flaw) is fixed in these versions.*
### Workarounds
The article does not explicitly list workarounds, implying immediate patching is the primary recommended action.
## Detection
- **Indicators of Compromise (IoC):** Monitoring for SAML logins using assertions that should not have been validated or unexpected successful authentications from potentially suspicious sources.
- **Detection Methods and Tools:** Analyzing SAML request/response traffic for malformed or suspicious XML structures that might indicate a wrapping attempt. Auditing the XML parser differential vulnerability when processing SAML messages.
## References
- Vendor Advisory (GitHub/ruby-saml): hxxps://github.com/advisories/GHSA-4vc4-m8qh-g8jm (For CVE-2025-25291)
- Vendor Advisory (GitHub/ruby-saml): hxxps://github.com/advisories/GHSA-754f-8gm6-c4r2 (For CVE-2025-25292)
- GitHub Blog Post/Research: hxxps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
- Release Notes: hxxps://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0