Cyber Resilience

CVE-2025-25292

CriticalPublic PoC

Published: 12 March 2025

Published
12 March 2025
Modified
03 November 2025
KEV Added
Patch
12 March 2025
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0332 87.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25292 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

ruby-saml is a Ruby library that implements SAML-based single sign-on. CVE-2025-25292 is an authentication-bypass flaw present in all versions prior to 1.12.4 and 1.18.0. The root cause is a parser differential: the same XML document can produce structurally different trees when processed by ReXML versus Nokogiri, enabling a signature-wrapping attack that satisfies the library’s signature checks while substituting attacker-controlled assertions.

An unauthenticated network attacker who can reach a ruby-saml service provider can submit a crafted SAML response that passes signature validation yet asserts an arbitrary identity. Successful exploitation grants the attacker a valid session under the chosen identity, bypassing the intended SSO authentication entirely. The CVSS 9.3 score reflects the absence of required privileges or user interaction and the high impact on confidentiality and integrity.

Patches released in ruby-saml 1.12.4 and 1.18.0 normalize XML handling to eliminate the differential. Corresponding updates appear in dependent products such as GitLab 17.9.2, and the project’s commit history documents the specific changes that enforce consistent document structure before signature verification.

EPSS rose from a low baseline to a peak of 0.0548 on 2025-12-11 before receding, indicating measurable post-disclosure exploitation interest that warrants renewed attention for any still-unpatched deployments.

EU & UK References

Vulnerability details

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can…

more

generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

The ruby-saml vulnerability enables authentication bypass via Signature Wrapping attacks exploiting XML parser differentials (ReXML vs. Nokogiri), allowing attackers to forge SAML tokens (T1606.002) and exploit public-facing SAML SSO applications (T1190).

CVEs Like This One

CVE-2025-25291Same product: Netapp Storagegrid
CVE-2025-1736Same product class: NAS / storage appliance
CVE-2025-25293Same product: Omniauth Omniauth Saml
CVE-2024-56171Same product class: NAS / storage appliance
CVE-2025-24813Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2024-10441Same product class: NAS / storage appliance
CVE-2025-47206Same product class: NAS / storage appliance
CVE-2025-52870Same product class: NAS / storage appliance

Affected Assets

omniauth
omniauth saml
≤ 1.10.6 · 2.0.0 — 2.1.3 · 2.2.0 — 2.2.3
onelogin
ruby-saml
≤ 1.12.4 · 1.13.0 — 1.18.0
netapp
storagegrid
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the flaw in ruby-saml library by patching to versions 1.12.4 or 1.18.0, directly eliminating the parser differential vulnerability.

preventdetect

Mandates software and information integrity-checking mechanisms that properly verify cryptographic signatures in SAML assertions, countering improper verification due to ReXML/Nokogiri parser differences.

prevent

Enforces validation of SAML XML inputs to block specially crafted responses exploiting parser discrepancies for signature wrapping attacks.

References