ruby-saml Auth Bypass via ReXML/Nokogiri Diff <1.12.4/1.18.0
CVE-2025-25291 Published on March 12, 2025
ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Weakness Types
Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.
Products Associated with CVE-2025-25291
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-25291 are published in these products:
Affected Versions
SAML-Toolkits ruby-saml:- Version < 1.12.4 is affected.
- Version >= 1.13.0, < 1.18.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-25291
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | omniauth-saml | >= 2.2.0, < 2.2.3 | 2.2.3 |
| rubygems | omniauth-saml | >= 2.0.0, < 2.1.3 | 2.1.3 |
| rubygems | omniauth-saml | < 1.10.6 | 1.10.6 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.