CVE-2025-25292
Published: 12 March 2025
Summary
CVE-2025-25292 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the flaw in ruby-saml library by patching to versions 1.12.4 or 1.18.0, directly eliminating the parser differential vulnerability.
Mandates software and information integrity-checking mechanisms that properly verify cryptographic signatures in SAML assertions, countering improper verification due to ReXML/Nokogiri parser differences.
Enforces validation of SAML XML inputs to block specially crafted responses exploiting parser discrepancies for signature wrapping attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The ruby-saml vulnerability enables authentication bypass via Signature Wrapping attacks exploiting XML parser differentials (ReXML vs. Nokogiri), allowing attackers to forge SAML tokens (T1606.002) and exploit public-facing SAML SSO applications (T1190).
NVD Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can…
more
generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Deeper analysisAI
CVE-2025-25292 is an authentication bypass vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The flaw affects versions prior to 1.12.4 and 1.18.0 and arises from a parser differential between the ReXML and Nokogiri XML parsers. These parsers can generate entirely different document structures from the same XML input, enabling a Signature Wrapping attack that undermines SAML authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-347 (Improper Verification of Cryptographic Signature) and CWE-436 (Interpretation Conflict).
Attackers require no privileges and can exploit the issue remotely over the network with low complexity and no user interaction. By submitting a specially crafted SAML response that leverages the parser discrepancy, an attacker can bypass authentication, potentially impersonating any user in ruby-saml-dependent applications, such as those using SAML SSO for access control.
Mitigation involves upgrading to ruby-saml versions 1.12.4 or 1.18.0, which contain patches addressing the parser differential, as documented in the library's commit history and release notes. GitLab released version 17.9.2 to patch the issue, and a GitHub security blog post details the parser differentials enabling SAML SSO bypass.
Details
- CWE(s)