CVE-2025-25291 – CVE-2025-25291 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2025-25291?

CVE-2025-25291 has a CVSS score of 9.8 (CRITICAL). CVE-2025-25291 is an authentication bypass vulnerability in ruby-saml that allows attackers to bypass SAML single sign-on authentication via signature wrapping attacks. The vulnerability stems from parser differentials between ReXML and Nokogiri XML parsers, which can generate different document structures from the same XML input. This affects all Ruby applications using vulnerable versions of ruby-saml for SAML authentication.

📋 TL;DR

CVE-2025-25291 is an authentication bypass vulnerability in ruby-saml that allows attackers to bypass SAML single sign-on authentication via signature wrapping attacks. The vulnerability stems from parser differentials between ReXML and Nokogiri XML parsers, which can generate different document structures from the same XML input. This affects all Ruby applications using vulnerable versions of ruby-saml for SAML authentication.

💻 Affected Systems

Products:

ruby-saml
GitLab (versions prior to 17.9.2)
Other Ruby applications using ruby-saml

Versions: All ruby-saml versions prior to 1.12.4 and 1.18.0

Operating Systems: All operating systems running Ruby applications with vulnerable ruby-saml

Default Config Vulnerable: ⚠️ Yes

Notes: Any Ruby application using ruby-saml for SAML authentication is vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing attackers to impersonate any user, gain unauthorized access to protected systems, and potentially escalate privileges across integrated applications.

🟠

Likely Case

Authentication bypass enabling unauthorized access to applications protected by SAML SSO, potentially leading to data exposure and unauthorized actions.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication factors, and monitoring for suspicious authentication patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of SAML and XML signature wrapping attacks, but public references provide sufficient technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ruby-saml 1.12.4 or 1.18.0

Vendor Advisory: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "ruby-saml", ">= 1.12.4"' or 'gem "ruby-saml", ">= 1.18.0"'. 2. Run 'bundle update ruby-saml'. 3. Restart your Ruby application server. 4. For GitLab, upgrade to version 17.9.2 or later.

🔧 Temporary Workarounds

Force Nokogiri Parser

all

Configure ruby-saml to use only Nokogiri parser to avoid parser differentials

In ruby-saml configuration: settings.security[:xml_security] = true
settings.security[:allowed_clock_drift] = 0

🧯 If You Can't Patch

Implement additional authentication factors (MFA) for all SAML-authenticated applications
Monitor authentication logs for suspicious patterns and implement rate limiting on authentication endpoints

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show ruby-saml' to see installed version. If version is below 1.12.4 or 1.18.0, you are vulnerable.

Check Version:

bundle show ruby-saml | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+"

Verify Fix Applied:

After updating, verify with 'bundle show ruby-saml' that version is 1.12.4 or higher, or 1.18.0 or higher. Test SAML authentication flows.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful authentication from same IP
Unusual user agent strings in SAML requests
XML parsing errors in application logs

Network Indicators:

Unusually large SAML responses
Multiple SAML authentication requests from single source in short time

SIEM Query:

source="application.log" AND ("SAML" OR "ruby-saml") AND ("error" OR "failed" OR "invalid")

📊 Metadata

CVE ID: CVE-2025-25291

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-347

EPSS Score: 13.85% exploit probability (94.1th percentile)

Published: March 12, 2025

Last Updated: November 3, 2025

🔗 References

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released Patch
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials Exploit,Third Party Advisory
https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9 Patch
https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 Patch
https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4 Release Notes
https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0 Release Notes
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm Vendor Advisory
https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv Vendor Advisory
https://portswigger.net/research/saml-roulette-the-hacker-always-wins Exploit,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
https://news.ycombinator.com/item?id=43374519 Issue Tracking
https://security.netapp.com/advisory/ntap-20250314-0010/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25291, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Omniauth Saml by Omniauth

Omniauth Saml by Omniauth

Omniauth Saml by Omniauth

Ruby Saml by Onelogin

Ruby Saml by Onelogin

Storagegrid by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Force Nokogiri Parser

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities