CVE-2025-25291
Published: 12 March 2025
Summary
CVE-2025-25291 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the parser differential vulnerability in ruby-saml by applying vendor patches to upgrade to fixed versions 1.12.4 or 1.18.0.
Validates incoming SAML XML payloads to reject malicious inputs exploiting parser differences and enabling signature wrapping attacks.
Scans for and identifies vulnerable ruby-saml library versions affected by this authentication bypass CVE, enabling timely remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in ruby-saml enables signature wrapping attacks exploiting parser differentials between ReXML and Nokogiri, allowing adversaries to forge SAML tokens for authentication bypass and impersonation.
NVD Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can…
more
generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Deeper analysisAI
CVE-2025-25291 is an authentication bypass vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The issue affects versions prior to 1.12.4 and 1.18.0 and stems from a parser differential between ReXML and Nokogiri XML parsers. These parsers can produce different document structures from the same XML input, enabling a Signature Wrapping attack. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-347 (Improper Verification of Cryptographic Signature) and CWE-436 (Interpretation Conflict).
A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious SAML XML payloads that exploit the parsing discrepancy. This allows the attacker to bypass authentication checks, potentially signing in as any user without valid credentials. The attack requires no user interaction or privileges, making it highly practical over the network.
Advisories and patches recommend upgrading to ruby-saml versions 1.12.4 or 1.18.0, where the issue is fixed via specific commits addressing the parser handling. GitLab released version 17.9.2 on March 12, 2025, to patch affected instances, and a GitHub security blog post details the parser differential technique used in the Signature Wrapping attack.
Details
- CWE(s)