GitHub Discovers Critical Vulnerabilities in ruby-saml Library Leading to Account Takeovers

Security researchers at GitHub’s Security Lab have uncovered two critical vulnerabilities in the open-source ruby-saml library that could allow attackers to bypass authentication and take over user accounts. These vulnerabilities, identified as CVE-2025-25291 and CVE-2025-25292, affect ruby-saml versions up to 1.17.0 and have been assigned a high severity CVSS score of 8.8.

Understanding the Risk

ruby-saml is a widely used library that facilitates Security Assertion Markup Language (SAML) authentication for web applications. SAML is a crucial standard for single sign-on (SSO) solutions, enabling secure authentication across multiple services.

The vulnerabilities arise due to inconsistencies in how the ruby-saml library processes XML signatures using two different parsers—REXML and Nokogiri. These discrepancies create an opportunity for attackers to exploit a "Signature Wrapping" vulnerability, allowing them to forge SAML responses and impersonate users.

How the Attack Works

An attacker who gains access to a validly signed SAML response can manipulate the XML structure to trick applications into accepting an unauthorized authentication assertion. This means attackers can bypass security measures and gain access to protected accounts without valid credentials.

Once exploited, this vulnerability can lead to severe consequences, including unauthorized access to sensitive data, privilege escalation, and potential lateral movement within an organization’s systems.

Mitigation and Recommendations

The maintainers of ruby-saml have addressed these security flaws in versions 1.12.4 and 1.18.0. Organizations using vulnerable versions of the library are strongly advised to update immediately to mitigate the risk of exploitation.

In addition to updating the library, security experts recommend implementing the following best practices:

• Regularly audit and test SAML implementations for security weaknesses.

• Enforce strict validation of XML signatures to prevent tampering.

• Monitor authentication logs for unusual or unauthorized access attempts.

• Apply security patches and updates as soon as they become available.

  
  

The Bigger Picture

This discovery highlights the ongoing security risks associated with third-party libraries and the need for rigorous security assessments in software development. Open-source security vulnerabilities remain a significant concern, and organizations must stay proactive in monitoring and securing their authentication mechanisms.

For further details, developers and security teams can refer to GitHub’s official security advisory and update their implementations accordingly.