CVE-2025-25292
Authentication Bypass vulnerability in ruby-saml (RubyGems)
What is CVE-2025-25292 About?
A critical authentication bypass vulnerability was discovered in ruby-saml, caused by a parser differential between REXML and Nokogiri when parsing XML. This allows an attacker to execute a Signature Wrapping attack, enabling user impersonation. Exploitation is highly complex due to the intricate nature of XML parsing and SAML signature validation but leads to severe consequences.
Affected Software
- ruby-saml
- <1.12.4
- >=1.13.0, <1.18.0
Technical Details
This authentication bypass vulnerability in ruby-saml (CVE-2025-25292) is caused by a parser differential, specifically between the REXML and Nokogiri XML parsers. The core issue is that these two parsers can produce different document structures from the exact same XML input. In the context of SAML, this differential can be leveraged by an attacker to execute a Signature Wrapping attack. The attacker crafts a SAML assertion such that during signature validation, one parser (e.g., REXML) authenticates a legitimate but benign part of the assertion, while a different parser (e.g., Nokogiri), used later in the application logic, interprets an attacker-controlled, unverified part of the assertion. This discrepancy allows the attacker to bypass the signature verification process and effectively impersonate a legitimate user.
What is the Impact of CVE-2025-25292?
Successful exploitation may allow attackers to bypass authentication mechanisms, leading to unauthorized user impersonation, full account takeover, and access to all associated resources and data.
What is the Exploitability of CVE-2025-25292?
Exploitation of this authentication bypass vulnerability is of high complexity, requiring an in-depth understanding of XML parsing differentials, SAML protocol specifics, and XML digital signature intricacies. No prior authentication to the target application is required, as the attack primarily targets the authentication process itself. Access is remote, as SAML exchanges occur over the network. The primary constraints involve crafting a precisely malformed SAML assertion that triggers the parser differential and understanding which parsers are in use. The risk factors that increase exploitation likelihood include applications that rely heavily on SAML for authentication and use inconsistent XML parsing libraries within their SAML processing pipeline.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-25292?
Available Upgrade Options
- ruby-saml
- <1.12.4 → Upgrade to 1.12.4
- ruby-saml
- >=1.13.0, <1.18.0 → Upgrade to 1.18.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25292.yml
- https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
- https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
- https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml
- https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
- https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
- https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
- https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
- https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4
What are Similar Vulnerabilities to CVE-2025-25292?
Similar Vulnerabilities: CVE-2012-4467 , CVE-2012-4468 , CVE-2013-4011 , CVE-2017-1000407 , CVE-2021-36728
