CVE-2025-25291: 
Ruby vulnerability analysis and mitigation

CVE-2025-25291 is a critical authentication bypass vulnerability discovered in ruby-saml prior to versions 1.12.4 and 1.18.0. The vulnerability exists due to a parser differential where ReXML and Nokogiri parse XML differently, causing the parsers to generate entirely different document structures from the same XML input (GitHub Blog, NVD). The vulnerability was discovered in March 2025 and affects applications using the ruby-saml library for SAML SSO authentication.

The vulnerability stems from the use of two different XML parsers (REXML and Nokogiri) during signature verification in ruby-saml. The parser differential allows attackers to execute a Signature Wrapping attack by manipulating XML documents. When validating SAML responses, REXML is used to parse the document and validate signatures, while Nokogiri is used to access attributes. This inconsistency in parsing can lead to different document structures being generated from the same XML input, allowing attackers to bypass signature verification (PortSwigger, GitHub Blog).

The vulnerability allows attackers who possess a single valid signed SAML document from the IdP to authenticate as any valid user within the environment's SAML IdP. This can lead to complete authentication bypass and account takeover attacks (Hacker News, GitLab Release).

The vulnerability has been fixed in ruby-saml versions 1.12.4 and 1.18.0. For users who cannot immediately update, temporary mitigations include enabling GitLab two-factor authentication for all user accounts, disabling the SAML two-factor bypass option, and requiring admin approval for automatically created new users. It's important to note that enabling identity provider multi-factor authentication does not mitigate this vulnerability (GitLab Release, NetApp Advisory).

The vulnerability has garnered significant attention in the security community. GitLab immediately released patches for affected versions, and other major organizations like NetApp issued security advisories. Security researchers have emphasized the serious nature of the vulnerability, with some experts recommending transitioning away from SAML to OAuth due to the inherent security risks in XML-DSIG implementations (Hacker News).