CVE-2025-25292 and CVE-2025-25291 are related to an authentication bypass vulnerability found in ruby-saml due to parser differential handling. The flaws carry a high CVSS score of 8.8. The vulnerability exists in the way ReXML and Nokogiri parse XML differently. The parsers can generate entirely different document structures from the same XML input, enabling attackers to execute a Signature Wrapping attack. Continue reading this Cybersecurity Threat Advisory to reduce the risk to your environment.
What is the threat?
A security vulnerability in the open-source ruby-saml library could let attackers bypass authentication in systems using SAML (Security Assertion Markup Language) for single sign-on (SSO). SSO allows users to log in once and access multiple apps and services with one set of credentials. This flaw could enable attackers to perform a “Signature Wrapping” attack, bypassing authentication. The issue affects ruby-saml versions older than 1.12.4 and between 1.13.0 and 1.18.0.
Why is it noteworthy?
SAML is a widely used standard for securely exchanging authentication and authorization data. It powers SSO, letting users access multiple services with one login. A flaw in this process could allow unauthorized access to systems that depend on it.
What is the exposure or risk?
Attackers who can forge valid SAML authentication data could impersonate any user, gaining unauthorized access to sensitive systems. This could lead to account takeovers, privilege escalation, or data breaches. Organizations using vulnerable ruby-saml versions or third-party libraries like omniauth-saml are at risk. If exploited, this vulnerability could let attackers bypass security, access critical apps, and move freely within a network. The impact could be even worse if SAML is used for SSO across multiple services, as compromising one login could give attackers access to everything.
What are the recommendations?
Barracuda recommends the following actions to mitigate the risk to your environment:
- Update ruby-saml to version 1.18.0 or, if using the older branch, version 1.12.4. If using omniauth-saml or other dependencies relying on ruby-saml, ensure they reference a patched version.
- Review authentication logs for unusual login attempts or unauthorized access patterns.
- Utilize multi-factor authentication (MFA) to reduce reliance on SAML authentication alone.
- Restrict SAML assertion acceptance to known and trusted identity providers.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/03/github-uncovers-new-ruby-saml.html
- https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.