omniauth-saml 2.2.1

1 security vulnerability found in version 2.2.1

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

critical severity GHSA-hw46-3hmr-x9xv
critical severity GHSA-hw46-3hmr-x9xv
Affected versions: >= 2.2.0, < 2.2.3

Summary

There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.

The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.

Please upgrade the ruby-saml requirement to v1.18.0.

Impact

Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.