Cyber Resilience

CVE-2025-25291

CriticalPublic PoC

Published: 12 March 2025

Published
12 March 2025
Modified
03 November 2025
KEV Added
Patch
12 March 2025
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2084 95.7th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25291 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

ruby-saml is a library providing SAML single sign-on for Ruby applications. CVE-2025-25291 is an authentication bypass vulnerability present in versions prior to 1.12.4 and 1.18.0 that stems from a parser differential between ReXML and Nokogiri. The two parsers can produce entirely different document structures from identical XML input, enabling a Signature Wrapping attack that leads to authentication bypass.

An unauthenticated network attacker can supply a crafted SAML response that one parser accepts while the signature verification logic, driven by the other parser, validates it incorrectly. This allows the attacker to impersonate any user and obtain unauthorized access to the target application.

Patches are available in ruby-saml 1.12.4 and 1.18.0. Corresponding updates have been issued in dependent products such as GitLab 17.9.2, and the project commits explicitly address the differential handling of XML signatures.

The vulnerability carries a CVSS 4.0 score of 9.3. Its EPSS score reached 0.2084 without a subsequent material rise from a low baseline.

EU & UK References

Vulnerability details

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can…

more

generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

The vulnerability in ruby-saml enables signature wrapping attacks exploiting parser differentials between ReXML and Nokogiri, allowing adversaries to forge SAML tokens for authentication bypass and impersonation.

CVEs Like This One

CVE-2025-25292Same product: Netapp Storagegrid
CVE-2025-25293Same product: Omniauth Omniauth Saml
CVE-2025-26512Same product class: NAS / storage appliance
CVE-2025-24928Same product class: NAS / storage appliance
CVE-2025-0411Same product class: NAS / storage appliance
CVE-2025-1736Same product class: NAS / storage appliance
CVE-2025-27423Same product class: NAS / storage appliance
CVE-2024-54085Same product class: NAS / storage appliance
CVE-2025-1215Same product class: NAS / storage appliance
CVE-2025-1861Same product class: NAS / storage appliance

Affected Assets

omniauth
omniauth saml
≤ 1.10.6 · 2.0.0 — 2.1.3 · 2.2.0 — 2.2.3
onelogin
ruby-saml
≤ 1.12.4 · 1.13.0 — 1.18.0
netapp
storagegrid
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly remediates the parser differential vulnerability in ruby-saml by applying vendor patches to upgrade to fixed versions 1.12.4 or 1.18.0.

prevent

Validates incoming SAML XML payloads to reject malicious inputs exploiting parser differences and enabling signature wrapping attacks.

detect

Scans for and identifies vulnerable ruby-saml library versions affected by this authentication bypass CVE, enabling timely remediation.

References