Two high-severity vulnerabilities have recently been unearthed in the ruby-saml library, known for managing SAML authentication processes. Identified as CVE-2025-25291 and CVE-2025-25292, these weaknesses have the potential to permit malicious actors to circumvent authentication safeguards. By doing so, unauthorized parties may gain entry, ultimately paving the way for possible account takeover endeavors. The root of both vulnerabilities lies in how the REXML and Nokogiri XML parsers interpret data differently, thereby creating a parsing inconsistency.
Marked with a CVSS score of 8.8 out of 10.0, the security flaws specifically impact certain versions of ruby-saml. They are present in versions anterior to 1.12.4, as well as versions ranging from 1.13.0 to 1.18.0. Exploiting these vulnerabilities would grant perpetrators the ability to carry out a Signature Wrapping attack. Through this method, authentication could be bypassed, affording wrongdoers the opportunity to mimic any user by fabricating their own SAML assertions.
The revelation of these vulnerabilities was brought forth by GitHub, with the issue first reported in November of 2024. Exploiting the flaws capitalizes on a discrepancy between signature and hash verification, setting the stage for potential exploitation. Remedying these vulnerabilities entailed the deployment of updates in ruby-saml versions 1.12.4 and 1.18.0.
These updated versions also tackle a denial-of-service (DoS) flaw linked to compressed SAML responses, denoted as CVE-2025-25293. In response to the risks posed by these vulnerabilities, GitLab has taken proactive measures by releasing updates for both its Community Edition (CE) and Enterprise Edition (EE). By introducing versions 17.9.2, 17.8.5, and 17.7.7, the vulnerabilities have been effectively addressed, thwarting potential exploitation within GitLab instances utilizing SAML authentication. Nevertheless, successful exploitation necessitates that the attacker has previously compromised a valid user account.
To elaborate, the attacker must possess a signed SAML document from the Identity Provider (IdP) to authenticate as another user within the SAML environment. Consequently, while the vulnerabilities are indeed severe, the prerequisite of prior access to a valid user account curtails immediate impact. Nonetheless, the looming threat remains significant for the organizations affected by these security gaps.
In conclusion, the discovery of these vulnerabilities underscores the importance of prompt updates and vigilant security measures in the realm of SAML authentication. By swiftly addressing these issues and implementing necessary safeguards, organizations can mitigate potential risks and uphold the integrity of their systems.