CVE-2025-25292: Authentication Bypass Vulnerability Found in Ruby-SAML Prior to Versions 1.12.4 and 1.18. Due to Parser Differential

Ruby-SAML, a library that provides Security Assertion Markup Language (SAML) Single Sign-On (SSO) for Ruby, has been found to have an authentication bypass vulnerability in versions prior to 1.12.4 and 1.18., caused by a parser differential between ReXML and Nokogiri. This flaw enables attackers to execute a Signature Wrapping attack, potentially leading to authentication bypass. The issue has been patched in versions 1.12.4 and 1.18. of Ruby-SAML.

Details

The vulnerability in Ruby-SAML exists due to the parser discrepancy between ReXML and Nokogiri, two XML parsers typically used by the library. These parsers interpret XML differently, generating distinct document structures even when given the same input. As a consequence, an attacker can exploit this discrepancy to carry out a Signature Wrapping attack.

A Signature Wrapping attack occurs when an attacker modifies an XML document containing a valid signature in such a way that they can insert arbitrary content without invalidating the signature. This can effectively bypass the authentication process, causing potential security risks and unauthorized access.

In response to this issue, the maintainers of Ruby-SAML have released versions 1.12.4 and 1.18. to address the vulnerability. By updating to these versions, users can ensure that their applications are protected against such attacks.

Code Snippet

Below is a simple example showcasing the difference in parsing between ReXML and Nokogiri using Ruby-SAML:

require 'rexml/document'
require 'nokogiri'
require 'ruby-saml'

# XML input
xml_input = '<xml_document>...</xml_document>'

# ReXML parsing
rexml_doc = REXML::Document.new(xml_input)
puts "ReXML output: #{rexml_doc}"

# Nokogiri parsing
nokogiri_doc = Nokogiri::XML(xml_input)
puts "Nokogiri output: #{nokogiri_doc}"

By studying the outputs of ReXML and Nokogiri, it is evident that they parse the same XML input differently, leading to the vulnerability in Ruby-SAML.

Mitigation

To safeguard against this vulnerability, it is highly recommended that users of Ruby-SAML update their library to version 1.12.4 or 1.18., which contain patches addressing this issue. Doing so ensures that your application remains secure and less prone to authentication bypass attacks.

Original References

- Ruby-SAML GitHub Repository: https://github.com/onelogin/ruby-saml
- Ruby-SAML Changelog: https://github.com/onelogin/ruby-saml/blob/master/changelog.md
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25292

Please be sure to regularly monitor your application's dependencies for updated versions and patches. Stay informed about vulnerabilities and always practice good security hygiene in your software development.

Timeline

Published on: 03/12/2025 21:15:42 UTC
Last modified on: 03/20/2025 14:15:24 UTC