CVE-2025-25291 Overview
CVE-2025-25291 is a critical authentication bypass vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The vulnerability stems from a parser differential between ReXML and Nokogiri XML parsing engines, which can generate entirely different document structures from the same XML input. This discrepancy allows attackers to execute a Signature Wrapping attack, effectively bypassing SAML authentication mechanisms.
Critical Impact
This authentication bypass vulnerability allows attackers to potentially sign in as any user by exploiting XML parser differentials, completely circumventing SAML SSO authentication controls.
Affected Products
- onelogin ruby-saml (versions prior to 1.12.4 and 1.18.0)
- omniauth omniauth_saml
- netapp storagegrid
Discovery Timeline
- 2025-03-12 - CVE-2025-25291 published to NVD
- 2025-03-12 - GitLab releases security patch 17.9.2 addressing the vulnerability
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-25291
Vulnerability Analysis
The vulnerability exists in how ruby-saml processes SAML responses using two different XML parsing libraries: ReXML (Ruby's standard library XML parser) and Nokogiri (a popular Ruby XML/HTML parser). When parsing the same SAML XML document, these parsers can produce fundamentally different document structures. This parser differential creates an exploitable condition where an attacker can craft malicious SAML responses that pass signature validation using one parser's interpretation while being processed differently by the other parser.
The core issue relates to CWE-347 (Improper Verification of Cryptographic Signature), where the signature verification process can be bypassed due to the inconsistent handling of XML elements between parsers. In a Signature Wrapping attack, the attacker injects malicious content into the SAML response in a way that the legitimate signed content satisfies signature verification, but the malicious unsigned content is what gets processed for authentication decisions.
Root Cause
The root cause lies in the lack of consistent XML document handling across different parsing engines within ruby-saml. When SAML responses are validated, the signature verification may use one parser's document representation while the actual authentication assertion extraction uses another. This architectural flaw allows attackers to exploit the semantic differences between how ReXML and Nokogiri interpret namespace handling, element ordering, and document structure.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker with knowledge of a valid user identifier in the target system can craft a specially formed SAML response that exploits the parser differential. The malicious response contains both a legitimately signed portion (which passes signature verification) and an unsigned malicious assertion (which gets used for authentication). By exploiting how different parsers traverse and interpret the XML document tree, the attacker can effectively authenticate as any user without possessing valid credentials.
# Security patch in lib/onelogin/ruby-saml/response.rb
# Source: https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
#
def validate_structure
structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
- unless valid_saml?(document, soft)
+ check_malformed_doc = check_malformed_doc_enabled?
+ unless valid_saml?(document, soft, check_malformed_doc)
return append_error(structure_error_msg)
end
unless decrypted_document.nil?
- unless valid_saml?(decrypted_document, soft)
+ unless valid_saml?(decrypted_document, soft, check_malformed_doc)
return append_error(structure_error_msg)
end
end
The patch introduces a check_malformed_doc parameter that enables additional validation to detect XML documents that could be interpreted differently by various parsers, preventing the exploitation of parser differentials.
Detection Methods for CVE-2025-25291
Indicators of Compromise
- Unusual SAML response structures containing duplicate or nested assertion elements
- Authentication events where the authenticated user identity doesn't match expected request patterns
- SAML responses with XML structures that appear malformed or contain unexpected namespace declarations
- Successful authentications from users without corresponding identity provider (IdP) session creation
Detection Strategies
- Monitor SAML authentication logs for anomalies such as multiple assertions in a single response or unexpected element ordering
- Implement deep XML inspection on SAML responses to detect signature wrapping attempts
- Compare authenticated user identities against expected authentication flows and IdP records
- Deploy web application firewalls (WAF) with rules to detect malformed SAML assertions
Monitoring Recommendations
- Enable verbose logging for all SAML authentication events including full response payloads
- Set up alerts for authentication bypass indicators such as successful logins without matching IdP confirmations
- Monitor for unusual patterns in user authentication timing and source IP addresses
- Track ruby-saml library version usage across all applications and flag instances running vulnerable versions
How to Mitigate CVE-2025-25291
Immediate Actions Required
- Upgrade ruby-saml to version 1.12.4 or 1.18.0 immediately
- Audit all Ruby applications using SAML authentication for vulnerable library versions
- Review authentication logs for any suspicious activity that may indicate exploitation
- Consider temporarily disabling SAML SSO if immediate patching is not possible and assess alternative authentication mechanisms
Patch Information
Security patches are available in ruby-saml versions 1.12.4 and 1.18.0. The patches introduce a check_malformed_doc validation parameter that ensures consistent XML document interpretation across parsers, effectively preventing Signature Wrapping attacks. For detailed patch information, see the ruby-saml Security Advisory GHSA-4vc4-m8qh-g8jm.
GitLab users should upgrade to version 17.9.2 or later, as documented in the GitLab Patch Release 17.9.2. NetApp StorageGRID users should consult the NetApp Security Advisory ntap-20250314-0010 for vendor-specific guidance.
Workarounds
- If patching is not immediately feasible, implement strict XML structure validation before SAML responses reach ruby-saml
- Consider using a single consistent XML parser throughout the SAML processing chain
- Deploy network-level controls to inspect and reject SAML responses with suspicious XML structures
- Implement additional authentication factors as a defense-in-depth measure until patching is complete
# Update ruby-saml using Bundler
bundle update ruby-saml
# Verify installed version
bundle show ruby-saml
# Should output: ruby-saml (1.12.4) or ruby-saml (1.18.0) or higher
# For omniauth-saml users
bundle update omniauth-saml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
