Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication

Security researchers from GitHub Security Lab have identified parser differential vulnerabilities (CVE-2025-25291 and CVE-2025-25292) affecting ruby-saml versions up to 1.17.0, which could allow attackers to impersonate any user within affected systems. In the affected code, ruby-saml uses REXML to extract the signature element and SignatureValue, while Nokogiri is used to extract and canonicalize the SignedInfo element. Researchers discovered that an attacker could craft a malicious SAML response containing two different Signature elements—one visible to REXML and another visible to Nokogiri. This dual-parser approach creates a critical security flaw where the parsers interpret the same XML document differently, allowing attackers to manipulate verification checks. The vulnerabilities were discovered through a private bug bounty engagement initiated by GitHub to evaluate the security of the ruby-saml library. When validating SAML responses, the library performs two critical checks: comparing a calculated hash against a DigestValue and verifying the SignedInfo element against the SignatureValue. An attacker exploits this by ensuring that a valid SignedInfo with DigestValue is verified against a legitimate signature, while simultaneously having a fabricated assertion compared against its calculated digest. This technique effectively disconnects the hash verification from the signature verification, allowing attackers to bypass authentication mechanisms and gain unauthorized access to protected resources. The maintainer of ruby-saml, Sixto Martín, worked with security researchers to develop and release the fixes. This signature could come from a legitimate SAML response belonging to an unprivileged user or, in some cases, even from publicly accessible signed metadata of a SAML identity provider. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. An attacker with a valid signature created with the target organization’s key can construct SAML assertions for any user. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Mar 2025 11:50:05 +0000

Cyber News related to Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication

Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication - Security researchers from GitHub Security Lab have identified parser differential vulnerabilities (CVE-2025-25291 and CVE-2025-25292) affecting ruby-saml versions up to 1.17.0, which could allow attackers to impersonate any user within affected ...
3 hours ago Cybersecuritynews.com CVE-2025-25291

GitLab patches critical authentication bypass vulnerabilities - GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws. The two critical flaws GitLab addressed this time ...
23 hours ago Bleepingcomputer.com CVE-2025-25291

CVE-2023-29129 - A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions > V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions > V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions > V2.3.0 ...
1 year ago

GitLab Patches: Severe SAML Authentication Bypass Flaw Fixed - Security Boulevard - In addition to these patches, OmniAuth SAML has been upgraded to version 2.2.1 and Ruby-SAML to 1.17.0. It’s worth mentioning that the issue only impacts self-managed instances; therefore, users of GitLab Dedicated instances do not need to take any ...
5 months ago Securityboulevard.com CVE-2024-45409

CVE-2022-23610 - wire-server provides back end services for Wire, an open source messenger. In versions of wire-server prior to the 2022-01-27 release, it was possible to craft DSA Signatures to bypass SAML SSO and impersonate any Wire user with SAML credentials. In ...
2 years ago

Auto-Generated Password Vulnerability In Sitevision Leaks Signing Key - A critical security flaw in Sitevision CMS versions 10.3.1 and older has exposed SAML authentication signing keys, enabling potential authentication bypass and session hijacking. In non-default configurations, the /webdav/files/ directory became ...
2 weeks ago Cybersecuritynews.com CVE-2022-35202

CVE-2025-25293 - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to ...
1 day ago

CVE-2023-48703 - RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the `xmlsec1` command line tool is called internally to verify the signature of SAML assertions. ...
1 year ago

CVE-2024-41107 - The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML ...
2 weeks ago

Selecting an Authentication Protocol for Your Business - Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. The protocols exchange information to verify the validity of the authentication ...
10 months ago Darkreading.com

CVE-2022-39300 - node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an ...
2 years ago

CVE-2022-44457 - A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions > V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix ...
2 years ago

Passwordless Login: Effortless Authentication - Let's explore how passwordless login paves the way for seamless and secure user authentication, fostering trust and loyalty. The Password Dilemma Though conventional complex password-based authentication has long been a cornerstone of robust ...
1 year ago Feeds.dzone.com

CVE-2022-39299 - Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in ...
2 years ago

GitLab Warns of Multiple Vulnerabilities Let Attackers Login as Valid User - Security experts recommend that organizations running GitLab implement these updates as soon as possible, especially those using SAML authentication or considering enabling the Direct Transfer feature. The vulnerability can be exploited if an ...
1 day ago Cybersecuritynews.com CVE-2025-27407

CVE-2023-25957 - A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions > V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions > V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All ...
1 year ago

CVE-2023-52240 - The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 ...
1 year ago

CVE-2020-2021 - When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an ...
4 years ago

What Is Kerberos Authentication?: Implementing Effective Security Protocols - Kerberos is a vital security protocol that any serious computer user must be familiar with. It is an open standard that provides a secure way of verifying the identity of user across multiple systems. The Kerberos authentication protocol is a ...
2 years ago Heimdalsecurity.com

CVE-2025-25291 - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML ...
15 hours ago CVE-2025-25292

CVE-2025-25292 - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML ...
15 hours ago CVE-2025-27407

CVE-2022-23600 - fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A ...
3 years ago

CVE-2023-45683 - github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service ...
1 year ago

How to Use Context-Based Authentication to Improve Security - One of the biggest security weak points for organizations involves their authentication processes. Context-based authentication offers an important tool in the battle against credential stuffing, man-in-the-middle attacks, MFA prompt bombing, and ...
1 year ago Securityboulevard.com

CVE-2022-31163 - TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to ...
2 years ago