ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)
Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in ruby-saml due to XML parser differential between ReXML and Nokogiri, enabling Signature Wrapping attacks; fixed in versions 1.12.4 and 1.18.0.
Vulnerability
Overview
CVE-2025-25291 is an authentication bypass vulnerability in the ruby-saml library, which implements SAML single sign-on (SSO) for Ruby. The root cause is a parser differential between the ReXML and Nokogiri XML parsers used by the library. These parsers can generate entirely different document structures from the same XML input, allowing an attacker to craft a SAML response that is interpreted differently during signature validation and subsequent processing [1][4]. This discrepancy enables a Signature Wrapping attack, where the attacker can bypass signature checks while injecting malicious content.
Exploitation
To exploit this vulnerability, an attacker must possess a single valid SAML signature created with the private key used by the target organization to sign SAML responses or assertions. With this signature, the attacker can construct a SAML assertion that passes signature validation on the service provider side but contains a different assertion structure due to the parser differential. The attack does not require prior authentication; it only requires possession of a valid signature, which could be obtained from a previously captured SAML response or through other means [3].
Impact
Successful exploitation leads to authentication bypass, allowing the attacker to log in as any user of the affected application. This effectively results in a full account takeover, as the attacker can impersonate any user without needing their credentials. The impact is critical, especially in enterprise environments where SAML SSO is used for access control [3].
Mitigation
The vulnerability is fixed in ruby-saml versions 1.12.4 and 1.18.0. Users of the library should upgrade immediately. Additionally, any dependent libraries (e.g., omniauth-saml) must be updated to versions that reference a fixed ruby-saml. The maintainers have released patches, and no workarounds are available [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ruby-samlRubyGems | < 1.12.4 | 1.12.4 |
ruby-samlRubyGems | >= 1.13.0, < 1.18.0 | 1.18.0 |
Affected products
4- Range: <1.12.4 or <1.18.0
- osv-coords2 versions
< 17.9.2+ 1 more
- (no CPE)range: < 17.9.2
- (no CPE)range: < 1.12.4
- SAML-Toolkits/ruby-samlv5Range: < 1.12.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-4vc4-m8qh-g8jmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25291ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-samlghsax_refsource_MISCADVISORY
- about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedghsax_refsource_MISCWEB
- github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialsghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jmghsax_refsource_CONFIRMWEB
- github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25291.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlghsaWEB
- news.ycombinator.com/itemghsaWEB
- portswigger.net/research/saml-roulette-the-hacker-always-winsghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20250314-0010ghsaWEB
News mentions
1- GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7GitLab Security Releases · Mar 12, 2025