Search for packages
| purl | pkg:gem/ruby-saml@1.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12er-nkhb-5kck
Aliases: CVE-2025-25292 GHSA-754f-8gm6-c4r2 |
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) ### Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. ### Impact This issue may lead to authentication bypass. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-4cuy-qn4h-vkcx
Aliases: CVE-2016-5697 GHSA-36p7-xjw8-h6f2 |
The package ruby-saml is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced two elements at the same time (but past the scheme validator process since 1 of the element was inside the encrypted assertion). |
Affected by 8 other vulnerabilities. |
|
VCID-7g5d-1wbd-w3ev
Aliases: CVE-2025-66567 GHSA-9v8j-x534-2fx3 |
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0. |
Affected by 1 other vulnerability. |
|
VCID-d6a2-bseb-b7fb
Aliases: CVE-2025-25293 GHSA-92rq-c8cf-prrq |
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses ### Summary ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. ### Impact This issue may lead to remote Denial of Service (DoS). |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-e63v-x8w4-vufw
Aliases: CVE-2025-25291 GHSA-4vc4-m8qh-g8jm |
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential) ### Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. ### Impact This issue may lead to authentication bypass. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-uhu9-4mv8-nbaf
Aliases: CVE-2017-11428 GHSA-x2fr-v8wf-8wwv |
Authentication bypass via incorrect DOM traversal and canonicalization Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-w1rp-n9ej-ruhv
Aliases: CVE-2024-45409 GHSA-cvp8-5r8g-fhvq GHSA-jw9c-mfg7-9rx2 |
SAML authentication bypass via Incorrect XPath selector Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-w8r1-wnkc-e3hk
Aliases: CVE-2025-54572 GHSA-rrqh-93c8-j966 |
Ruby SAML DOS vulnerability with large SAML response ### Summary A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. ### Details `ruby-saml` includes a `message_max_bytesize` setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code: https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb ```ruby def decode_raw_saml(saml, settings = nil) return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block. settings = OneLogin::RubySaml::Settings.new if settings.nil? if saml.bytesize > settings.message_max_bytesize raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\") end decoded = decode(saml) ... end ``` The vulnerability is in the execution order. Prior to checking bytesize the `base64_encoded?` function performs regex matching on the entire input string: ```ruby !!string.gsub(/[\\r\]|\\\\r|\\\|\\s/, \"\").match(BASE64_FORMAT) ``` ### Impact _What kind of vulnerability is it? Who is impacted?_ When successfully exploited, this vulnerability can lead to: - Excessive memory consumption - High CPU utilization - Application slowdown or unresponsiveness - Complete application crash in severe cases - Potential denial of service for legitimate users All applications using `ruby-saml` with SAML configured and enabled are vulnerable. ### Potential Solution Reorder the validation steps to ensure max bytesize is checked first ```ruby def decode_raw_saml(saml, settings = nil) settings = OneLogin::RubySaml::Settings.new if settings.nil? if saml.bytesize > settings.message_max_bytesize raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\") end return saml unless base64_encoded?(saml) decoded = decode(saml) ... end ``` |
Affected by 0 other vulnerabilities. |
|
VCID-x721-mbr2-9bhh
Aliases: CVE-2025-66568 GHSA-x4h9-gwv3-r4m4 |
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-an6g-hdf9-w7dp | XXE vulnerability The gem is vulnerable to external entity expansion attacks. |
OSVDB-124383
|
| VCID-hjc9-tfcb-efcz | XPath Injection Vulnerability The gem is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for command injection, leading to arbitrary code execution. |
OSVDB-124991
|
| VCID-kga7-6cqa-5qgh | ruby-saml vulnerable to XPath injection `xml_security.rb` in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used. |
CVE-2015-20108
GHSA-r364-2pj4-pf7f OSV-124991 |