GitHub has identified two high-severity security flaws in the open-source ruby-saml library, which could allow attackers to bypass Security Assertion Markup Language (SAML) authentication. These vulnerabilities pose a significant risk, potentially leading to full account takeovers.
SAML, an XML-based authentication framework, enables secure authorization exchanges between applications and services. It is widely used for Single Sign-On (SSO), allowing users to log into multiple platforms with a single credential set.
CVE-2025-25291 and CVE-2025-25292: Authentication Bypass Risks
The newly discovered flaws, CVE-2025-25291 and CVE-2025-25292, hold a CVSS severity score of 8.8 out of 10, marking them as critical. The affected versions of the ruby-saml library include:
- Versions below 1.12.4
- Versions 1.13.0 to 1.17.9
These vulnerabilities arise from inconsistencies in how REXML and Nokogiri, two XML parsers, interpret the same XML data. This discrepancy enables attackers to perform a Signature Wrapping Attack, effectively bypassing authentication mechanisms.
To mitigate this threat, developers should immediately upgrade to ruby-saml versions 1.12.4 or 1.18.0, where these issues have been patched.
GitHub Warns of Account Takeover Risks
According to GitHub Security Lab researcher Peter Stöckli, the flaw allows attackers to craft SAML assertions using a single valid signature. If an attacker obtains a signature created with the organization’s validation key, they can exploit it to log in as any user within the system.
The root cause of the issue lies in the mismatch between hash verification and signature validation, creating a loophole that hackers can exploit.
The updated ruby-saml versions also address a remote denial-of-service (DoS) vulnerability (CVE-2025-25293), rated 7.7 on the CVSS scale. This flaw could be exploited through malformed compressed SAML responses, potentially disrupting authentication services.
Urgent Action: Update to the Latest ruby-saml Version
Given the severity of these vulnerabilities, GitHub strongly advises all users and organizations to upgrade to ruby-saml 1.12.4 or 1.18.0 to protect their authentication systems from exploitation.
This discovery follows another critical ruby-saml flaw (CVE-2024-45409, CVSS score: 10.0) patched by GitLab in late 2024, which also posed a major authentication risk.
How to Stay Secure:
- Check your ruby-saml version and upgrade if necessary.
- Review SAML authentication configurations for security gaps.
- Monitor for unusual authentication activities that could indicate exploitation attempts.
- Catchup on all Techvop cybersecurity updates for the latest patches and advisories.
By taking swift action, organizations can safeguard their authentication systems against potential account takeovers and security breaches.
