VYPR
Critical severity9.8NVD Advisory· Published Mar 12, 2025· Updated Jun 17, 2026

CVE-2025-25292

CVE-2025-25292

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ruby-samlRubyGems
>= 1.13.0, < 1.18.01.18.0
ruby-samlRubyGems
< 1.12.41.12.4

Affected products

3

Patches

Vulnerability mechanics

References

17

News mentions

2