CVE-2025-25292
Published: 12 March 2025
Summary
CVE-2025-25292 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
ruby-saml is a Ruby library that implements SAML-based single sign-on. CVE-2025-25292 is an authentication-bypass flaw present in all versions prior to 1.12.4 and 1.18.0. The root cause is a parser differential: the same XML document can produce structurally different trees when processed by ReXML versus Nokogiri, enabling a signature-wrapping attack that satisfies the library’s signature checks while substituting attacker-controlled assertions.
An unauthenticated network attacker who can reach a ruby-saml service provider can submit a crafted SAML response that passes signature validation yet asserts an arbitrary identity. Successful exploitation grants the attacker a valid session under the chosen identity, bypassing the intended SSO authentication entirely. The CVSS 9.3 score reflects the absence of required privileges or user interaction and the high impact on confidentiality and integrity.
Patches released in ruby-saml 1.12.4 and 1.18.0 normalize XML handling to eliminate the differential. Corresponding updates appear in dependent products such as GitLab 17.9.2, and the project’s commit history documents the specific changes that enforce consistent document structure before signature verification.
EPSS rose from a low baseline to a peak of 0.0548 on 2025-12-11 before receding, indicating measurable post-disclosure exploitation interest that warrants renewed attention for any still-unpatched deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6414
Vulnerability details
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can…
more
generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The ruby-saml vulnerability enables authentication bypass via Signature Wrapping attacks exploiting XML parser differentials (ReXML vs. Nokogiri), allowing attackers to forge SAML tokens (T1606.002) and exploit public-facing SAML SSO applications (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the flaw in ruby-saml library by patching to versions 1.12.4 or 1.18.0, directly eliminating the parser differential vulnerability.
Mandates software and information integrity-checking mechanisms that properly verify cryptographic signatures in SAML assertions, countering improper verification due to ReXML/Nokogiri parser differences.
Enforces validation of SAML XML inputs to block specially crafted responses exploiting parser discrepancies for signature wrapping attacks.