CVE-2025-25291
Published: 12 March 2025
Summary
CVE-2025-25291 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
ruby-saml is a library providing SAML single sign-on for Ruby applications. CVE-2025-25291 is an authentication bypass vulnerability present in versions prior to 1.12.4 and 1.18.0 that stems from a parser differential between ReXML and Nokogiri. The two parsers can produce entirely different document structures from identical XML input, enabling a Signature Wrapping attack that leads to authentication bypass.
An unauthenticated network attacker can supply a crafted SAML response that one parser accepts while the signature verification logic, driven by the other parser, validates it incorrectly. This allows the attacker to impersonate any user and obtain unauthorized access to the target application.
Patches are available in ruby-saml 1.12.4 and 1.18.0. Corresponding updates have been issued in dependent products such as GitLab 17.9.2, and the project commits explicitly address the differential handling of XML signatures.
The vulnerability carries a CVSS 4.0 score of 9.3. Its EPSS score reached 0.2084 without a subsequent material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6415
Vulnerability details
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can…
more
generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in ruby-saml enables signature wrapping attacks exploiting parser differentials between ReXML and Nokogiri, allowing adversaries to forge SAML tokens for authentication bypass and impersonation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the parser differential vulnerability in ruby-saml by applying vendor patches to upgrade to fixed versions 1.12.4 or 1.18.0.
Validates incoming SAML XML payloads to reject malicious inputs exploiting parser differences and enabling signature wrapping attacks.
Scans for and identifies vulnerable ruby-saml library versions affected by this authentication bypass CVE, enabling timely remediation.