CVE-2025-25292 Overview
CVE-2025-25292 is a critical authentication bypass vulnerability discovered in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) capabilities for Ruby applications. The vulnerability stems from a parser differential between the ReXML and Nokogiri XML parsing libraries, allowing attackers to execute Signature Wrapping attacks and bypass authentication mechanisms.
The flaw enables an unauthenticated attacker to craft malicious SAML responses that exploit the parsing differences between these two XML libraries. When ReXML and Nokogiri parse the same XML input, they can generate entirely different document structures, which attackers can leverage to manipulate signature validation and gain unauthorized access to protected resources.
Critical Impact
This vulnerability allows complete authentication bypass in SAML SSO implementations, enabling attackers to sign in as any user without valid credentials on affected applications including GitLab instances.
Affected Products
- onelogin ruby-saml (versions prior to 1.12.4 and 1.18.0)
- omniauth omniauth_saml (dependent on vulnerable ruby-saml versions)
- netapp storagegrid
Discovery Timeline
- 2025-03-12 - CVE-2025-25292 published to NVD
- 2025-03-12 - GitLab releases patch version 17.9.2
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-25292
Vulnerability Analysis
The vulnerability exists in how ruby-saml handles XML document parsing and signature validation. The library uses two different XML parsing libraries—ReXML (Ruby's built-in XML parser) and Nokogiri (a wrapper around libxml2)—at different stages of SAML response processing. These parsers handle certain XML constructs differently, particularly around comments, whitespace, and entity handling.
When processing a SAML response, ruby-saml performs signature validation using one parser but extracts assertion data using another. An attacker can craft a malicious SAML response that appears valid to the signature verification process but yields different content when the actual assertion data is extracted. This discrepancy allows the attacker to inject arbitrary assertion content that bypasses signature validation entirely.
The authentication bypass can be exploited remotely without any prior authentication, requiring only network access to the vulnerable application's SAML endpoint. Successful exploitation grants attackers unauthorized access with the ability to impersonate any user within the SAML authentication context.
Root Cause
The root cause is a classic parser differential vulnerability (CWE-347: Improper Verification of Cryptographic Signature). The ruby-saml library validates SAML signatures using one XML parser but extracts assertion content using a different parser that interprets the same XML document structure differently. This architectural flaw means the signed content verified during validation may differ from the content actually used for authentication decisions.
The security patch addresses this by introducing a check_malformed_doc parameter that ensures consistent document handling across both parsing stages. The fix validates the XML document structure using Nokogiri's safe loading mechanism before processing, ensuring that malformed or crafted XML that would be parsed differently by ReXML and Nokogiri is rejected early in the validation process.
Attack Vector
The attack requires network access to a SAML Service Provider (SP) endpoint that uses a vulnerable version of ruby-saml. An attacker can execute a Signature Wrapping attack by:
- Intercepting or obtaining a valid signed SAML response
- Crafting a modified SAML response that exploits parser differential behavior
- Inserting malicious assertion content that will be parsed differently by ReXML and Nokogiri
- Submitting the crafted response to the vulnerable SP endpoint
- The signature validates against the original content while the application extracts the attacker's injected content
# Security patch in lib/onelogin/ruby-saml/saml_message.rb
# Source: https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
# Validates the SAML Message against the specified schema.
# @param document [REXML::Document] The message that will be validated
# @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
# @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
# @return [Boolean] True if the XML is valid, otherwise False, if soft=True
# @raise [ValidationError] if soft == false and validation fails
#
- def valid_saml?(document, soft = true)
+ def valid_saml?(document, soft = true, check_malformed_doc = true)
begin
- xml = Nokogiri::XML(document.to_s) do |config|
- config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
- end
+ xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
rescue StandardError => error
return false if soft
raise ValidationError.new("XML load failed: #{error.message}")
Detection Methods for CVE-2025-25292
Indicators of Compromise
- Unexpected SAML authentication successes for users who did not initiate login requests
- SAML responses containing unusual XML structures, comments, or entity references
- Authentication logs showing successful logins from unexpected IP addresses or geographic locations
- Anomalous user session creation patterns, particularly for privileged accounts
Detection Strategies
- Monitor SAML endpoint access logs for malformed or unusually large SAML response payloads
- Implement alerting on authentication events that occur without corresponding user-initiated SSO flows
- Review web application logs for XML parsing errors or warnings that may indicate exploitation attempts
- Deploy network-level inspection for SAML traffic containing suspicious XML constructs
Monitoring Recommendations
- Enable detailed logging on all SAML authentication endpoints and correlation with identity provider logs
- Monitor for privilege escalation events following SAML authentication, particularly admin account access
- Implement anomaly detection on user session patterns to identify potential impersonation attacks
- Track ruby-saml library versions across your environment to ensure patched versions are deployed
How to Mitigate CVE-2025-25292
Immediate Actions Required
- Update ruby-saml to version 1.12.4 or 1.18.0 immediately across all affected applications
- Audit recent SAML authentication logs for suspicious activity that may indicate prior exploitation
- Review and revoke any suspicious user sessions created through SAML authentication
- Notify security teams about potential authentication bypass and coordinate incident response if exploitation is suspected
Patch Information
The vulnerability has been patched in ruby-saml versions 1.12.4 and 1.18.0. Organizations should upgrade to these versions immediately. For GitLab users, version 17.9.2 includes the patched ruby-saml library. The patches introduce a check_malformed_doc parameter that enables consistent XML document validation using Nokogiri's safe loading mechanism.
Detailed patch information is available in the GitHub Security Advisory GHSA-754f-8gm6-c4r2 and the corresponding omniauth-saml advisory GHSA-hw46-3hmr-x9xv.
Workarounds
- Temporarily disable SAML SSO authentication if upgrading is not immediately possible
- Implement additional authentication factors (MFA) that operate independently of SAML assertions
- Restrict network access to SAML endpoints to trusted identity providers only
- Enable strict XML schema validation at the web application firewall level
# Update ruby-saml gem to patched version
bundle update ruby-saml
# Verify installed version
bundle show ruby-saml
# For GitLab installations, upgrade to 17.9.2 or later
sudo gitlab-ctl upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
