High-Severity Vulnerabilities Found in Ruby-SAML Library, Enabling Authentication Bypass

Security researchers have uncovered two critical vulnerabilities in the ruby-saml library, an open-source implementation of Security Assertion Markup Language (SAML), which could allow attackers to bypass authentication mechanisms.

These flaws, tracked as CVE-2025-25291 and CVE-2025-25292, highlight risks associated with the way XML parsing is handled within SAML authentication, potentially leading to account takeovers.

Understanding SAML and Its Importance

SAML is an XML-based authentication protocol widely used in single sign-on (SSO) systems. It allows users to authenticate once and gain access to multiple applications without needing to log in separately. This is commonly used in enterprise environments for secure identity federation across multiple platforms.

By exploiting weaknesses in how ruby-saml processes XML, attackers could manipulate authentication requests to gain unauthorized access to accounts, highlighting the critical role of secure SAML implementations.

Details of the Vulnerabilities

The vulnerabilities impact ruby-saml versions:

• Versions below 1.12.4

• Versions between 1.13.0 and 1.18.0 (excluding 1.18.0)

Root Cause: XML Parser Discrepancies

Both vulnerabilities stem from differences in how two XML parsers, REXML and Nokogiri, interpret XML data. This mismatch allows an attacker to exploit Signature Wrapping techniques, crafting malicious XML documents that bypass signature verification.

Potential Impact

According to GitHub Security Lab, which discovered the flaws in November 2024, these vulnerabilities could allow attackers to forge SAML assertions and authenticate as any user without knowing their credentials.

This means that if an attacker gains access to a legitimate SAML signature, they can spoof authentication requests and impersonate any user in an organization, effectively compromising accounts without cracking passwords.

Denial-of-Service Vulnerability (CVE-2025-25293)

In addition to the authentication bypass flaws, ruby-saml was also found to contain a remote denial-of-service (DoS) vulnerability (CVE-2025-25293, CVSS score: 7.7).

This issue arises when the library processes compressed SAML responses, potentially allowing attackers to overload a system and cause service disruptions.

Mitigation and Recommended Actions

To protect against these vulnerabilities, users must immediately update to the patched versions:

• ruby-saml 1.12.4

• ruby-saml 1.18.0

Organizations using SAML-based authentication should also:

1. Regularly audit authentication logs for unusual login patterns.

2. Restrict access to SAML signing keys to prevent unauthorized signature misuse.

3. Implement strong security policies around XML parsing to reduce risks from parser differentials.

Broader Security Implications

This discovery follows a September 2024 vulnerability (CVE-2024-45409, CVSS score: 10.0) in GitLab and ruby-saml, which also allowed authentication bypass. The repeated security flaws in SAML implementations underscore the importance of strict validation and secure XML parsing in identity authentication systems.

As attackers increasingly target authentication mechanisms, ensuring that SAML authentication is secure is essential for protecting sensitive user data and enterprise environments.