GHSA-hw46-3hmr-x9xv: 
Ruby vulnerability analysis and mitigation

A critical vulnerability was identified in omniauth-saml, affecting versions <2.2.2 and <1.10.5. The vulnerability is related to its dependency on ruby-saml, which contains two critical Signature Wrapping Vulnerabilities (CVE-2025-25291, CVE-2025-25292) and a potential DoS Moderated Vulnerability (CVE-2025-25293). The issue was discovered and disclosed on March 12, 2025, with patches released in versions 2.2.3, 2.1.3, and 1.10.6 (GitHub Advisory).

The vulnerability stems from two critical issues in the ruby-saml dependency. The first involves parser differentials between ReXML and Nokogiri, where they parse XML differently and can generate entirely different document structures from the same XML input, enabling Signature Wrapping attacks. The second issue relates to compressed SAML responses, where message size checks can be bypassed since they occur before inflation rather than after, potentially leading to Denial of Service conditions (CVE Mitre).

The vulnerabilities allow attackers to execute Signature Wrapping attacks, potentially leading to authentication bypass and user impersonation. Additionally, the DoS vulnerability could affect service availability through compressed SAML response exploitation (GitHub Advisory).

Users are strongly advised to upgrade to the patched versions: omniauth-saml version 2.2.3, 2.1.3, or 1.10.6, which include the updated ruby-saml dependency (version 1.18.0). These versions contain fixes for both the Signature Wrapping vulnerabilities and the DoS issue (RubyGems).