CVE-2025-25291: Authentication Bypass Vulnerability Found in ruby-saml Parsers

Ruby-saml is a popular gem that provides Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Ruby applications. A significant authentication bypass vulnerability has been discovered in ruby-saml prior to versions 1.12.4 and 1.18.. This vulnerability stems from the different ways that ReXML and Nokogiri, two popular XML parsers in the Ruby ecosystem, parse XML content. This parser differential creates an opportunity for skilled attackers to execute a Signature Wrapping attack and potentially bypass authentication, leading to unauthorized access to sensitive data.

Details of the Vulnerability

This issue arises because ReXML and Nokogiri process XML input differently, sometimes generating completely distinct document structures. With clever manipulation and crafting of the XML content, an attacker can exploit these parser inconsistencies to successfully execute a Signature Wrapping attack on the targeted Ruby application.

A Signature Wrapping attack involves maliciously changing the structure of an XML document to make it appear valid to the service consuming the XML. By wrapping the original signed XML content with a new, unsigned content, an attacker can trick the service into processing their malicious XML input instead of the expected, valid data.

Here's a code snippet demonstrating the differences between the ReXML and Nokogiri parsers

require 'rexml/document'
require 'nokogiri'

xml_input = <<-XML
<root>
  <element id="1">
    <data>Hello</data>
  </element>
  <element id="2" />
</root>
XML

rexml_doc = REXML::Document.new(xml_input)
noko_doc = Nokogiri::XML(xml_input)

rexml_elements = rexml_doc.root.elements.to_a
noko_elements = noko_doc.root.children.select(&:element?)

puts "REXML elements: #{rexml_elements.map(&:to_s)}"
puts "Nokogiri elements: #{noko_elements.map(&:to_s)}"

When executed, this code snippet returns different results from each parser

REXML elements: ["<element id='1'><data>Hello</data></element>", "<element id='2' />"]
Nokogiri elements: ["<element id=\"1\">\n    <data>Hello</data>\n  </element>", "<element id=\"2\"/>\n"]

Although the differences in this example are subtle, they still illustrate how the two parsers can generate different document structures from the same XML input. Attackers can use these discrepancies to initiate a Signature Wrapping attack.

How to Protect Your Applications

To ensure your Ruby applications are protected against this vulnerability, you must update your ruby-saml gem to version 1.12.4 or 1.18., which contain fixes for this issue. You can update your Gemfile or gemspec to use the newer, patched version, like so:

gem 'ruby-saml', '~> 1.18.'

Then, run bundle install to update your dependencies.

Original References

You can review the details of this vulnerability, including the official CVE report, at these resources:
- CVE-2025-25291: https://nvd.nist.gov/vuln/detail/CVE-2025-25291
- Ruby-saml GitHub repository: https://github.com/onelogin/ruby-saml
- Patch Details: https://github.com/onelogin/ruby-saml/releases/

Conclusion

In summary, the CVE-2025-25291 vulnerability in ruby-saml is caused by parser differentials between ReXML and Nokogiri, which can potentially lead to authentication bypass through a Signature Wrapping attack. To protect your Ruby applications, update your ruby-saml gem to version 1.12.4 or 1.18.. Stay informed about security issues, and always keep your dependencies up-to-date to minimize the risks associated with software vulnerabilities.

Timeline

Published on: 03/12/2025 21:15:42 UTC
Last modified on: 03/20/2025 14:15:24 UTC