A critical security flaw has been uncovered in the ruby-saml library, a widely-used tool for Single Sign-On (SSO) through Security Assertion Markup Language (SAML) on the service provider side. The vulnerabilities, identified as CVE-2025-25291 and CVE-2025-25292, could allow attackers to bypass authentication and execute account takeover attacks if they possess a valid signature created with the targeted organization’s key.
The ruby-saml library is extensively utilized in various applications and products, including prominent projects like GitLab. Although GitHub does not currently rely on this library for authentication, the platform recently reconsidered its usage following the detection of vulnerabilities in its own SAML implementation.
The decision to reassess the security of ruby-saml was stimulated by the disclosure of a significant authentication bypass flaw in October 2024 (CVE-2024-45409). GitHub’s Security Lab and bug bounty researchers conducted a comprehensive security review that led to the discovery of these vulnerabilities.
During the examination, it was found that ruby-saml employs two different XML parsers, REXML and Nokogiri, in the signature verification process. This dual-parser setup introduced a potential vulnerability known as parser differentials, where REXML and Nokogiri could be manipulated to extract different signature elements, potentially leading to an authentication bypass.
The vulnerability discovery process involved multiple stages, starting with the identification of the use of multiple parsers, followed by assessing exploitability, finding a parser differential, and finally creating a complete exploit to bypass authentication. By leveraging the parser differential, attackers could deceive the parsers into retrieving distinct signatures, facilitating an authentication bypass.
SAML responses play a crucial role in transporting user information from the identity provider to the service provider in XML format. To ensure data integrity, the signature in SAML responses must be verified through canonicalization and comparison of the SignedInfo and DigestValue elements.
Through GitHub’s bug bounty program, a participant successfully crafted an exploit by exploiting the parser differential, enabling them to bypass authentication if in possession of a valid signature from the targeted organization. The exploit highlighted the risk associated with previously signed assertions or publicly accessible metadata.
Users of the ruby-saml library are strongly advised to update to version 1.18.0 promptly to mitigate these vulnerabilities. Projects or libraries relying on ruby-saml, such as omniauth-saml, should also update to a version referencing a fixed version of the library.
The discovery of these vulnerabilities underscores the significance of conducting thorough security audits and bug bounty programs to identify and address critical issues before they can be exploited. It also emphasizes the importance of staying up-to-date with libraries and frameworks to prevent exploitation and safeguard the security of users and organizations.
In conclusion, the vulnerabilities in ruby-saml underscore the ongoing challenges in securing SSO systems but also showcase how collaborative efforts between researchers and companies can lead to improved security outcomes. The security community remains vigilant in monitoring these issues to ensure libraries like ruby-saml remain resilient against emerging threats.