{"id":"CVE-2025-25291","summary":"ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)","details":"ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.","aliases":["BIT-gitlab-2025-25291","GHSA-4vc4-m8qh-g8jm"],"modified":"2026-04-10T05:23:13.561180Z","published":"2025-03-12T20:16:12.181Z","related":["GHSA-4vc4-m8qh-g8jm","GHSA-hw46-3hmr-x9xv"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25291.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-347","CWE-436"]},"references":[{"type":"WEB","url":"https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"},{"type":"WEB","url":"https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"},{"type":"WEB","url":"https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=43374519"},{"type":"WEB","url":"https://portswigger.net/research/saml-roulette-the-hacker-always-wins"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25291.json"},{"type":"ADVISORY","url":"https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"},{"type":"ADVISORY","url":"https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25291"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250314-0010/"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"},{"type":"FIX","url":"https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"},{"type":"FIX","url":"https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"},{"type":"ARTICLE","url":"https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/omniauth/omniauth-saml","events":[{"introduced":"0"},{"fixed":"1075827eb7d7b0926920c9b452f756d18de6deab"},{"introduced":"ed52758c272f5afe81e3304d1f4e436e30021a2a"},{"fixed":"2eb30faada7936b2e2188e47a5b768f5643e6eae"},{"introduced":"4274e9d57e65f2dcaae4aa3b2accf831494f2ddd"},{"fixed":"34eb3541248e4ee56fa2189bd7b47f4748fe2f78"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"2.0.0"},{"fixed":"2.1.3"},{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}}],"versions":["v0.9.0","v0.9.1","v0.9.2","v1.0.0","v1.1.0","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.2.0","v1.3.0","v1.3.1","v1.4.0","v1.4.1","v1.4.2","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.9.0","v2.0.0","v2.1.0","v2.1.1","v2.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25291.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/onelogin/ruby-saml","events":[{"introduced":"0"},{"fixed":"48cc5b92e1dde8637a013dfd48cdf8ceadd499b2"},{"introduced":"5da850c36bbf678674f9321032df428139d7e434"},{"fixed":"6a7c040049babe748ee1bb4ca13898c47189114c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.12.4"},{"introduced":"1.13.0"},{"fixed":"1.18.0"}]}}],"versions":["0.7.3","0.8.0","0.8.1","1.3.1","1.4.0","1.4.1","1.4.2","1.4.3","1.5.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.6.0","v0.7.1","v0.9","v0.9.1","v0.9.2","v1.0.0","v1.1.0","v1.1.1","v1.1.2","v1.10.0","v1.10.1","v1.10.2","v1.11.0","v1.12.0","v1.12.1","v1.12.2","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.2.0","v1.3.0","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25291.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/saml-toolkits/ruby-saml","events":[{"introduced":"0"},{"fixed":"48cc5b92e1dde8637a013dfd48cdf8ceadd499b2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.12.4"}]}},{"type":"GIT","repo":"https://github.com/saml-toolkits/ruby-saml","events":[{"introduced":"5da850c36bbf678674f9321032df428139d7e434"},{"fixed":"6a7c040049babe748ee1bb4ca13898c47189114c"}],"database_specific":{"versions":[{"introduced":"1.13.0"},{"fixed":"1.18.0"}]}}],"versions":["0.7.3","0.8.0","0.8.1","1.3.1","1.4.0","1.4.1","1.4.2","1.4.3","1.5.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.6.0","v0.7.1","v0.9","v0.9.1","v0.9.2","v1.0.0","v1.1.0","v1.1.1","v1.1.2","v1.10.0","v1.10.1","v1.10.2","v1.11.0","v1.2.0","v1.3.0","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25291.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}