{"id":2609,"date":"2025-03-15T10:04:29","date_gmt":"2025-03-15T10:04:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/03\/15\/critical-ruby-saml-vulnerabilities-let-attackers-bypass-authentication\/"},"modified":"2025-03-15T10:04:29","modified_gmt":"2025-03-15T10:04:29","slug":"critical-ruby-saml-vulnerabilities-let-attackers-bypass-authentication","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/03\/15\/critical-ruby-saml-vulnerabilities-let-attackers-bypass-authentication\/","title":{"rendered":"Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication"},"content":{"rendered":"

Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Two critical authentication bypass vulnerabilities have been discovered in the ruby-saml library, potentially exposing numerous web applications to account takeover attacks.\u00a0<\/p>\n

Security researchers from GitHub Security Lab have identified parser differential vulnerabilities (CVE-2025-25291 and CVE-2025-25292) affecting ruby-saml versions up to 1.17.0, which could allow attackers to impersonate any user within affected systems.<\/p>\n

GitHub reports that the vulnerabilities stem from ruby-saml\u2019s use of two different XML parsers\u2014REXML and Nokogiri\u2014during the SAML response signature verification process.\u00a0<\/p>\n

This dual-parser approach creates a critical security flaw where the parsers interpret the same XML document differently, allowing attackers to manipulate verification checks.<\/p>\n

In the affected code, ruby-saml uses REXML to extract the signature element and SignatureValue, while Nokogiri is used to extract and canonicalize the SignedInfo element.<\/p>\n

Critical ruby-saml Vulnerabilities<\/strong><\/h2>\n

The disconnect between these two operations creates an exploitable condition. When validating SAML responses, the library performs two critical checks: comparing a calculated hash against a DigestValue and verifying the SignedInfo element against the SignatureValue. The summary of both vulnerabilities is given below:<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nruby-saml < 1.12.4 and \u2265 1.13.0, < 1.18.0; omniauth-saml < 2.2.2, < 1.10.5<\/td>\n<\/tr>\n
Impact<\/td>\nAuthentication bypass; Account takeover<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nPossession of a single valid signature created with the target organization\u2019s key; Can be obtained from an unprivileged user\u2019s assertion or publicly accessible IdP metadata<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n8.8 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Researchers discovered<\/a> that an attacker could craft a malicious SAML response containing two different Signature elements\u2014one visible to REXML and another visible to Nokogiri. The code in xml_security.rb first queries for signature elements with REXML:<\/p>\n

\"\"<\/figure>\n

Later, it queries again using Nokogiri:<\/p>\n

\"\"<\/figure>\n

Due to parser differences, these queries can return different elements from the same document.\u00a0<\/p>\n

An attacker exploits this by ensuring that a valid SignedInfo with DigestValue is verified against a legitimate signature, while simultaneously having a fabricated assertion compared against its calculated digest.<\/p>\n

Attack Scenario<\/strong><\/h2>\n

The security impact is severe. An attacker with a valid signature created with the target organization\u2019s key can construct SAML assertions for any user.\u00a0<\/p>\n

This signature could come from a legitimate SAML response belonging to an unprivileged user or, in some cases, even from publicly accessible signed metadata of a SAML identity provider.<\/p>\n

For example, an attacker could create a malicious SAML response containing an additional Signature element hidden within a StatusDetail element that would only be visible to Nokogiri.\u00a0<\/p>\n

This technique effectively disconnects the hash verification from the signature verification, allowing attackers to bypass authentication mechanisms and gain unauthorized access to protected resources.<\/p>\n

The vulnerabilities<\/a> have been confirmed in popular projects using ruby-saml, including GitLab. GitHub Security Lab notified GitLab\u2019s security team to protect their users against potential attacks<\/p>\n

Mitigations<\/strong><\/h2>\n

Organizations using ruby-saml should immediately update to version 1.18.0, which contains fixes for both CVE-2025-25291 and CVE-2025-25292.\u00a0<\/p>\n

Additionally, references to libraries making use of ruby-saml, such as omniauth-saml, must be updated to versions that reference the fixed version of ruby-saml.<\/p>\n

For developers implementing temporary mitigations, checking for Nokogiri parsing errors can help prevent some exploitation techniques:<\/p>\n

\"\"<\/figure>\n

However, this is not a complete solution, and updating to the fixed version remains the recommended approach.<\/p>\n

The vulnerabilities were discovered through a private bug bounty engagement initiated by GitHub to evaluate the security of the ruby-saml library. Both a bug bounty participant identified as \u201cahacker1\u201d and GitHub Security Lab researchers independently identified the parser differential issues.\u00a0<\/p>\n

The maintainer of ruby-saml, Sixto Mart\u00edn, worked with security researchers to develop and release the fixes.<\/p>\n

No reliable indicators of compromise have been identified, making it crucial for organizations to proactively update their implementations and monitor for suspicious SAML-based authentication attempts.<\/p>\n

Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong>\u00a0<\/p>\n

The post Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical ruby-saml Vulnerabilities Let Attackers Bypass Authentication Two critical authentication bypass vulnerabilities have been discovered in the ruby-saml library, potentially exposing numerous web applications to account takeover attacks.\u00a0 Security researchers from GitHub Security Lab have identified parser differential vulnerabilities (CVE-2025-25291 and CVE-2025-25292) affecting ruby-saml versions up to 1.17.0, which could allow attackers to impersonate any […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-2609","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2609"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2609"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2609\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}