Omniauth Omniauth

  1. Vendors
  2. Omniauth

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Omniauth product.

RSS Feeds for Omniauth security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Omniauth products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Omniauth Sorted by Most Security Vulnerabilities since 2018

Omniauth Saml5 vulnerabilities

Omniauth2 vulnerabilities

By the Year

In 2026 there have been 0 vulnerabilities in Omniauth. Last year, in 2025 Omniauth had 3 security vulnerabilities published. Right now, Omniauth is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 3 0.00
2024 1 9.80
2023 0 0.00
2022 1 0.00
2021 0 0.00
2020 0 0.00
2019 2 9.80

It may take a day or so for new Omniauth vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Omniauth Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-25293 Mar 12, 2025
Remote DoS via Compressed SAML in ruby-saml before 1.12.4/1.18.0 ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Omniauth Saml
CVE-2025-25292 Mar 12, 2025
Ruby-saml Auth Bypass via Signature Wrapping (before 1.12.4/1.18.0) ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Omniauth Saml
CVE-2025-25291 Mar 12, 2025
ruby-saml Auth Bypass via ReXML/Nokogiri Diff <1.12.4/1.18.0 ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Omniauth Saml
CVE-2024-45409 Sep 10, 2024
Signature Verification Vulnerability in Ruby-SAML <=12.2 & 1.13.0-1.16.0 The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Omniauth Saml
CVE-2020-36599 Aug 18, 2022
OmniAuth < 1.9.2: Unescaped message_key in failure_endpoint.rb XSS lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
Omniauth
CVE-2015-9284 Apr 26, 2019
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
Omniauth
CVE-2017-11430 Apr 17, 2019
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Omniauth Saml
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.