ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 12 Sep 2025 19:15:00 +0000


Fri, 01 Aug 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Netapp
Netapp storagegrid
Omniauth
Omniauth omniauth Saml
Onelogin
Onelogin ruby-saml
CPEs cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:ruby:*:*
cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*
Vendors & Products Netapp
Netapp storagegrid
Omniauth
Omniauth omniauth Saml
Onelogin
Onelogin ruby-saml
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.01703}

epss

{'score': 0.02296}


Thu, 03 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 20 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Mon, 17 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 15 Mar 2025 21:45:00 +0000

Type Values Removed Values Added
References

Fri, 14 Mar 2025 10:45:00 +0000

Type Values Removed Values Added
References

Wed, 12 Mar 2025 21:45:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}


Wed, 12 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 12 Mar 2025 21:00:00 +0000


Wed, 12 Mar 2025 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-436

Wed, 12 Mar 2025 20:30:00 +0000

Type Values Removed Values Added
Description ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Title ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-09-12T19:07:07.030Z

Reserved: 2025-02-06T17:13:33.122Z

Link: CVE-2025-25291

cve-icon Vulnrichment

Updated: 2025-03-15T20:47:03.479Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T21:15:42.000

Modified: 2025-09-26T14:14:27.393

Link: CVE-2025-25291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.