→

CVE-2025-25291: Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary

An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact

This issue may lead to authentication bypass.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-25291

CVE-2025-25291:

9.3

CVSS Score

4.0

-

CVSS Score

-

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ruby-saml	rubygems	< 1.12.4	1.12.4
ruby-saml	rubygems	>= 1.13.0, < 1.18.0	1.18.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) Differential XML parsing between ReXML (lenient) and Nokogiri (strict), particularly around DOCTYPE handling and namespace resolution. 2) Lack of consistency in XML processing between signature extraction (ReXML) and canonicalization (Nokogiri). The commit diffs show critical fixes in these areas: adding SAML_NAMESPACES to prevent XPath mismatches, implementing safe_load_xml with DOCTYPE validation, and separating parser workflows. The vulnerable functions directly handled XML parsing/validation without these safeguards.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-25291: Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary

Impact

CVE-2025-25291:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

CVE-2025-25291: Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary

Impact

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

9.3

9.3

Basic Information

Basic Information

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-25291: Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary

Impact

CVE-2025-25291:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-25291: Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

9.3

9.3

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI