Onelogin Ruby Saml
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Onelogin Ruby Saml.
By the Year
In 2026 there have been 0 vulnerabilities in Onelogin Ruby Saml. Last year, in 2025 Ruby Saml had 4 security vulnerabilities published. Right now, Ruby Saml is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 0.00 |
| 2024 | 1 | 9.80 |
| 2023 | 1 | 9.80 |
It may take a day or so for new Ruby Saml vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Onelogin Ruby Saml Security Vulnerabilities
ruby-saml 1.12.4 Authentication Bypass via Signature Wrapping (ReXML/Nokogiri)
CVE-2025-66567
- December 09, 2025
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
Improper Verification of Cryptographic Signature
Remote DoS via Compressed SAML in ruby-saml before 1.12.4/1.18.0
CVE-2025-25293
- March 12, 2025
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Resource Exhaustion
Ruby-saml Auth Bypass via Signature Wrapping (before 1.12.4/1.18.0)
CVE-2025-25292
- March 12, 2025
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Improper Verification of Cryptographic Signature
ruby-saml Auth Bypass via ReXML/Nokogiri Diff <1.12.4/1.18.0
CVE-2025-25291
- March 12, 2025
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Improper Verification of Cryptographic Signature
Signature Verification Vulnerability in Ruby-SAML <=12.2 & 1.13.0-1.16.0
CVE-2024-45409
9.8 - Critical
- September 10, 2024
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Improper Verification of Cryptographic Signature
ruby-saml before 1.0.0 XPath injection in xml_security.rb
CVE-2015-20108
9.8 - Critical
- May 27, 2023
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
Command Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Onelogin Ruby Saml or by Onelogin? Click the Watch button to subscribe.
