Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language ( SAML) authentication protections.
SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization data between parties, enabling features like single sign-on ( SSO ), which allows individuals to use a single set of credentials to access multiple sites, services, and apps.
The risks, tracked as and , carry a CVSS tally of 8.8 out of 10.0. They affect the following types of the librarian-
- <, 1.12.4
- >, = 1.13.0, <, 1.18.0
Both the shortcomings stem from how both REXML and Nokogiri interpret XML separately, causing the two parsers to produce entirely different record structures from the same XML type
This parsing variable allows an attacker to be able to perform a Unique Putting attack, leading to an identification bypass. The threats have been in ruby-saml types 1.12.4 and 1.18.0.
Microsoft-owned Git Hub, which discovered and reported the flaws in November 2024, said they could be abused by malicious actors to perform account invasion problems.
” Intruders who are in possession of a single valid name that was created with the code used to validate SAML actions or claims of the targeted business can use it to construct SAML assertions themselves and are in turn able to log in as any user”, GitHub Security Lab scientist Peter Stöckli in a blog.
The Microsoft-owned company also noted that the problem boils down to a “disconnect” between confirmation of the weed and confirmation of the signature, opening the door to exploitation via a parser variable.
Versions 1.12.4 and 1.18.0 also plug a remote denial-of-service ( DoS ) flaw when handling compressed SAML responses ( CVE-2025-25293, CVSS score: 7.7 ). Users are recommended to update to the latest version to safeguard against potential threats.
The findings come nearly six months after GitLab and ruby-saml moved to address another critical vulnerability ( , CVSS score: 10.0) that could also result in an authentication bypass.