ruby-saml 1.14.0
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
critical severity CVE-2025-66568< 1.18.0
Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
Details
When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
Impact
-
Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.
-
Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
critical severity CVE-2025-66567< 1.18.0
Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
Impact
That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
critical severity CVE-2025-25292~> 1.12.4, >= 1.18.0
Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
critical severity CVE-2025-25291~> 1.12.4, >= 1.18.0
Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
SAML authentication bypass via Incorrect XPath selector
critical severity CVE-2024-45409~> 1.12.3, >= 1.17.0
Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
high severity CVE-2025-25293~> 1.12.4, >= 1.18.0
Summary
ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses.
Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after.
Impact
This issue may lead to remote Denial of Service (DoS).
Ruby SAML DOS vulnerability with large SAML response
medium severity CVE-2025-54572>= 1.18.1
Summary
A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.
Details
ruby-saml includes a message_max_bytesize setting intended to
prevent DOS attacks and decompression bombs. However, this protection
is ineffective in some cases due to the order of operations in the code:
def decode_raw_saml(saml, settings = nil)
return saml unless base64_encoded?(saml)
# <--- Issue here. Should be moved after next code block.
settings = OneLogin::RubySaml::Settings.new if settings.nil?
if saml.bytesize > settings.message_max_bytesize
raise ValidationError.new(\"Encoded SAML Message exceeds \" +
settings.message_max_bytesize.to_s +
\" bytes, so was rejected\")
end
decoded = decode(saml)
...
end
The vulnerability is in the execution order. Prior to checking
bytesize the base64_encoded? function performs regex matching
on the entire input string:
!!string.gsub(/[\\r\]|\\\\r|\\\|\\s/, \"\").match(BASE64_FORMAT)
Impact
What kind of vulnerability is it? Who is impacted?
When successfully exploited, this vulnerability can lead to:
- Excessive memory consumption
- High CPU utilization
- Application slowdown or unresponsiveness
- Complete application crash in severe cases
- Potential denial of service for legitimate users
All applications using ruby-saml with SAML configured and
enabled are vulnerable.
Potential Solution
Reorder the validation steps to ensure max bytesize is checked first
def decode_raw_saml(saml, settings = nil)
settings = OneLogin::RubySaml::Settings.new
if settings.nil?
if saml.bytesize > settings.message_max_bytesize
raise ValidationError.new(\"Encoded SAML Message exceeds \" +
settings.message_max_bytesize.to_s + \" bytes, so was rejected\")
end
return saml unless base64_encoded?(saml)
decoded = decode(saml)
...
end
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.