Two high-severity vulnerabilities have been discovered in the ruby-saml library, which handles SAML authentication. These flaws, tracked as CVE-2025-25291 and CVE-2025-25292, could allow attackers to bypass authentication protections. This would enable unauthorized access, potentially leading to account takeover attacks. Both vulnerabilities are linked to how the REXML and Nokogiri XML parsers process data differently, creating a parsing discrepancy.
The security flaws have been rated with a CVSS score of 8.8 out of 10.0 and affect specific ruby-saml versions.
They exist in versions earlier than 1.12.4 and versions between 1.13.0 and 1.18.0. Exploiting these vulnerabilities would allow attackers to execute a Signature Wrapping attack. This attack could bypass authentication and allow them to impersonate any user by creating their own SAML assertions.
GitHub, the company that discovered the flaws, reported the issue in November 2024. The flaws exploit a disconnect between signature and hash verification, opening the door to exploitation. To fix these vulnerabilities, updates were released in ruby-saml versions 1.12.4 and 1.18.0.
These versions also address a denial-of-service (DoS) flaw related to compressed SAML responses, identified as CVE-2025-25293.
To mitigate the risks posed by these vulnerabilities, GitLab has released updates for both its Community Edition (CE) and Enterprise Edition (EE). The updated versions, 17.9.2, 17.8.5, and 17.7.7, address the vulnerabilities and prevent attackers from exploiting them within GitLab instances using SAML authentication. However, a successful exploitation requires the attacker to have previously compromised a valid user account.
This means that the attacker must have access to a signed SAML document from the Identity Provider (IdP) in order to authenticate as another user within the SAML environment. Therefore, while the vulnerabilities are serious, the need for prior access to a valid user account limits the immediate impact but still poses a significant security risk to affected organizations.
