GSA_kwCzR0hTQS03NTRmLThnbTYtYzRyMs4ABFaL

Critical CVSS: 9.3 EPSS: 0.00705% (0.71204 Percentile) EPSS:

Permalink JSON

Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)

Affected Packages	Affected Versions	Fixed Versions
rubygems:ruby-saml	< 1.12.4, >= 1.13.0, < 1.18.0	1.12.4, 1.18.0
20 Dependent packages 2,297 Dependent repositories 113,924,935 Downloads total Affected Version Ranges All affected versions 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17, 0.8.18, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0 All unaffected versions 1.12.4, 1.18.0

Summary

An authentication bypass vulnerability was found in ruby-saml due to a parser differential.
ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact

This issue may lead to authentication bypass.

References:

Identifiers

GHSA-754f-8gm6-c4r2

CVE-2025-25292

Risk

Severity

Critical

CVSS

CVSS Score: 9.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00705

EPSS Percentile: 0.71204

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/SAML-Toolkits/ruby-saml

Date and time

Published

5 months ago

Updated

4 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories