Two high-severity safety flaws have been disclosed within the open-source ruby-saml library that would permit malicious actors to bypass Safety Assertion Markup Language (SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization knowledge between events, enabling options like single sign-on (SSO), which permits people to make use of a single set of credentials to entry a number of websites, providers, and apps.
The vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, carry a CVSS rating of 8.8 out of 10.0. They have an effect on the next variations of the library –
Each the shortcomings stem from how each REXML and Nokogiri parse XML otherwise, inflicting the 2 parsers to generate fully completely different doc buildings from the identical XML enter
This parser differential permits an attacker to have the ability to execute a Signature Wrapping assault, resulting in an authentication bypass. The vulnerabilities have been addressed in ruby-saml variations 1.12.4 and 1.18.0.
Microsoft-owned GitHub, which found and reported the failings in November 2024, mentioned they might be abused by malicious actors to conduct account takeover assaults.
“Attackers who’re in possession of a single legitimate signature that was created with the important thing used to validate SAML responses or assertions of the focused group can use it to assemble SAML assertions themselves and are in flip capable of log in as any person,” GitHub Safety Lab researcher Peter Stöckli said in a publish.
The Microsoft-owned subsidiary additionally famous that the difficulty boils all the way down to a “disconnect” between verification of the hash and verification of the signature, opening the door to exploitation through a parser differential.
Variations 1.12.4 and 1.18.0 additionally plug a distant denial-of-service (DoS) flaw when dealing with compressed SAML responses (CVE-2025-25293, CVSS rating: 7.7). Customers are advisable to replace to the most recent model to safeguard in opposition to potential threats.
The findings come almost six months after GitLab and ruby-saml moved to handle one other vital vulnerability (CVE-2024-45409, CVSS rating: 10.0) that would additionally lead to an authentication bypass.
Source link