CVE-2025-25291 CRITICAL

CVE-2025-25291: ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)

Vendor Saml-Toolkits
Product ruby-saml
Weakness CWE-347
Published March 12, 2025
Last update November 3, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Key dates

02Disclosure timeline

March 12, 2025 CVE published
November 3, 2025 Record updated