CVE-2025-25291

CVE-2025-25291 is an authentication bypass vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The issue affects versions prior to 1.12.4 and 1.18.0 and stems from a parser differential between ReXML and Nokogiri XML parsers. These parsers can produce different document structures from the same XML input, enabling a Signature Wrapping attack. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-347 (Improper Verification of Cryptographic Signature) and CWE-436 (Interpretation Conflict).

A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious SAML XML payloads that exploit the parsing discrepancy. This allows the attacker to bypass authentication checks, potentially signing in as any user without valid credentials. The attack requires no user interaction or privileges, making it highly practical over the network.

Advisories and patches recommend upgrading to ruby-saml versions 1.12.4 or 1.18.0, where the issue is fixed via specific commits addressing the parser handling. GitLab released version 17.9.2 on March 12, 2025, to patch affected instances, and a GitHub security blog post details the parser differential technique used in the Signature Wrapping attack.