VulnerableCode Package Details - pkg:gem/omniauth-saml@2.1.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-2ded-zkye-buet Aliases: GHSA-hw46-3hmr-x9xv	omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue ### Summary There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. ### Impact Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.	2.1.3 Affected by 0 other vulnerabilities. 2.2.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2ded-zkye-buet
Aliases:
GHSA-hw46-3hmr-x9xv

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue ### Summary There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. ### Impact Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

2.1.3
Affected by 0 other vulnerabilities.

2.2.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-w1rp-n9ej-ruhv	SAML authentication bypass via Incorrect XPath selector Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.	CVE-2024-45409 GHSA-cvp8-5r8g-fhvq GHSA-jw9c-mfg7-9rx2

Vulnerability

Summary

Aliases

VCID-w1rp-n9ej-ruhv

SAML authentication bypass via Incorrect XPath selector Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.

CVE-2024-45409
GHSA-cvp8-5r8g-fhvq
GHSA-jw9c-mfg7-9rx2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:42:11.928745+00:00	GitLab Importer	Affected by	VCID-2ded-zkye-buet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml	38.6.0
2026-06-05T21:48:20.162367+00:00	GHSA Importer	Fixing	VCID-w1rp-n9ej-ruhv	https://github.com/advisories/GHSA-cvp8-5r8g-fhvq	38.6.0
2026-06-04T18:15:23.833011+00:00	Ruby Importer	Affected by	VCID-2ded-zkye-buet	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml	38.6.0
2026-06-04T16:45:40.474979+00:00	GithubOSV Importer	Fixing	VCID-w1rp-n9ej-ruhv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json	38.6.0
2026-06-04T16:22:15.317786+00:00	GitLab Importer	Fixing	VCID-w1rp-n9ej-ruhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml	38.6.0