CVE-2025-25292

CVE-2025-25292 is an authentication bypass vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The flaw affects versions prior to 1.12.4 and 1.18.0 and arises from a parser differential between the ReXML and Nokogiri XML parsers. These parsers can generate entirely different document structures from the same XML input, enabling a Signature Wrapping attack that undermines SAML authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-347 (Improper Verification of Cryptographic Signature) and CWE-436 (Interpretation Conflict).

Attackers require no privileges and can exploit the issue remotely over the network with low complexity and no user interaction. By submitting a specially crafted SAML response that leverages the parser discrepancy, an attacker can bypass authentication, potentially impersonating any user in ruby-saml-dependent applications, such as those using SAML SSO for access control.

Mitigation involves upgrading to ruby-saml versions 1.12.4 or 1.18.0, which contain patches addressing the parser differential, as documented in the library's commit history and release notes. GitLab released version 17.9.2 to patch the issue, and a GitHub security blog post details the parser differentials enabling SAML SSO bypass.