CVE-2025-25291

CRITICAL

CVSS v3

9.8

CRITICAL

EPSS Score

13.8%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Technical Details

Published
3/12/2025

Frequently Asked Questions

What is CVE-2025-25291?

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Is CVE-2025-25291 actively exploited?

Active exploitation of CVE-2025-25291 has not been confirmed. The EPSS score is 13.8%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-25291?

CVE-2025-25291 has a CVSS v3 base score of 9.8 (CRITICAL severity).

Is CVE-2025-25291 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.