CVE-2025-25291 PoC — ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2025/CVE-2025-25291.yaml

Associated Vulnerability

Title:ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential) (CVE-2025-25291)
Description:ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

File Snapshot


 id: CVE-2025-25291

info:
  name: GitLab - SAML Authentication Bypass
  author: iamnoooob,rootxharsh

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!