ruby-saml 1.1.0
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
critical severity CVE-2025-25292~> 1.12.4, >= 1.18.0
Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
critical severity CVE-2025-25291~> 1.12.4, >= 1.18.0
Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
SAML authentication bypass via Incorrect XPath selector
critical severity CVE-2024-45409~> 1.12.3, >= 1.17.0
Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
high severity CVE-2025-25293~> 1.12.4, >= 1.18.0
Summary
ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses.
Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after.
Impact
This issue may lead to remote Denial of Service (DoS).
Authentication bypass via incorrect XML canonicalization and DOM traversal
high severity CVE-2017-11428>= 1.7.0
ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.
A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.
XML signature wrapping attack
high severity CVE-2016-5697>= 1.3.0
ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion).
ruby-saml users must update to 1.3.0, which implements 3 extra validations to mitigate this kind of attack.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.