See on RubyGems

ruby-saml 0.3.0

10 security vulnerabilities found in version 0.3.0

Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)

critical severity CVE-2025-25292
critical severity CVE-2025-25292
Patched versions: ~> 1.12.4, >= 1.18.0

Summary

An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact

This issue may lead to authentication bypass.

Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

critical severity CVE-2025-25291
critical severity CVE-2025-25291
Patched versions: ~> 1.12.4, >= 1.18.0

Summary

An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact

This issue may lead to authentication bypass.

SAML authentication bypass via Incorrect XPath selector

critical severity CVE-2024-45409
critical severity CVE-2024-45409
Patched versions: ~> 1.12.3, >= 1.17.0

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.

ruby-saml gem is vulnerable to XPath injection

critical severity CVE-2015-20108
critical severity CVE-2015-20108
Patched versions: >= 1.0.0

xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution.

Ruby-Saml Gem is vulnerable to arbitrary code execution

high severity OSVDB-117903
high severity OSVDB-117903
Patched versions: >= 0.8.2

ruby-saml contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.

Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses

high severity CVE-2025-25293
high severity CVE-2025-25293
Patched versions: ~> 1.12.4, >= 1.18.0

Summary

ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses.

Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after.

Impact

This issue may lead to remote Denial of Service (DoS).

Authentication bypass via incorrect XML canonicalization and DOM traversal

high severity CVE-2017-11428
high severity CVE-2017-11428
Patched versions: >= 1.7.0

ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.

A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.

XML signature wrapping attack

high severity CVE-2016-5697
high severity CVE-2016-5697
Patched versions: >= 1.3.0

ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

ruby-saml users must update to 1.3.0, which implements 3 extra validations to mitigate this kind of attack.

Ruby-Saml Gem is vulnerable to entity expansion attacks

medium severity OSVDB-124383
medium severity OSVDB-124383
Patched versions: >= 1.0.0

ruby-saml before 1.0.0 is vulnerable to entity expansion attacks.

Ruby SAML DOS vulnerability with large SAML response

medium severity CVE-2025-54572
medium severity CVE-2025-54572
Patched versions: >= 1.18.1

Summary

A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.

Details

ruby-saml includes a message_max_bytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

     def decode_raw_saml(saml, settings = nil)
        return saml unless base64_encoded?(saml)
# <--- Issue here. Should be moved after next code block.

        settings =  OneLogin::RubySaml::Settings.new if settings.nil?
        if saml.bytesize > settings.message_max_bytesize
           raise ValidationError.new(\"Encoded SAML Message exceeds \" +
           settings.message_max_bytesize.to_s +
           \" bytes, so was rejected\")
        end
        decoded = decode(saml)
      ...
      end

The vulnerability is in the execution order. Prior to checking bytesize the base64_encoded? function performs regex matching on the entire input string:

!!string.gsub(/[\\r\]|\\\\r|\\\|\\s/, \"\").match(BASE64_FORMAT)

Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

  • Excessive memory consumption
  • High CPU utilization
  • Application slowdown or unresponsiveness
  • Complete application crash in severe cases
  • Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled are vulnerable.

Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

def decode_raw_saml(saml, settings = nil)
  settings = OneLogin::RubySaml::Settings.new
if settings.nil?
  if saml.bytesize > settings.message_max_bytesize
    raise  ValidationError.new(\"Encoded SAML Message exceeds \" +
    settings.message_max_bytesize.to_s  + \" bytes, so was rejected\")
  end
  return saml unless base64_encoded?(saml)
  decoded = decode(saml)
  ...
end

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.

This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.

This gem version has not been yanked and is still available for usage.