Ruby-saml Security Vulnerabilities and Issues — Ruby-saml CVE List

OneloginRuby-saml

9 matches found

CVE•added 2025/03/12 8:53 p.m.•2029 views

CVE-2025-25292

Ruby-saml contains an authentication bypass vulnerability caused by a parser differential between ReXML and Nokogiri. The issue affects versions older than 1.12.4 and 1.18.0, enabling a Signature Wrapping attack that can lead to bypassing SAML authentication. A patch exists in versions 1.12.4 and...

9.8CVSS7AI score0.03321EPSS

CVE•added 2025/03/12 8:16 p.m.•2004 views

CVE-2025-25291

ruby-saml vulnerabilities CVE-2025-25291/25292/25293 relate to a parser differential between ReXML and Nokogiri that enables a Signature Wrapping authentication bypass and related DoS when handling SAML inputs. Affected versions prior to 1.12.4 and 1.18.0 are vulnerable; fixes are shipped in 1.12...

9.8CVSS7AI score0.20843EPSS

CVE•added 2024/09/10 6:50 p.m.•349 views

CVE-2024-45409

CVE-2024-45409 affects the Ruby-SAML library used for SAML client functionality. Ubuntu/Debian advisories and IBM/GitHub entries confirm that versions <= 12.2 and 1.13.0

10CVSS9.3AI score0.44644EPSS

CVE•added 2025/03/12 8:11 p.m.•90 views

CVE-2025-25293

CVE-2025-25293 concerns the ruby-saml library used for SAML SSO in Ruby. The issue affects prior to versions 1.12.4 and 1.18.0, where remote attackers could trigger a Denial of Service by sending compressed SAML responses. The vulnerability stems from how ruby-saml decompresses SAML assertions wi...

8.7CVSS6.6AI score0.06225EPSS

CVE•added 2019/04/17 1:59 p.m.•85 views

CVE-2017-11428

CVE-2017-11428 affects OneLogin Ruby-SAML up to version 1.6.0. The issue arises from improper use of XML DOM traversal and canonicalization results, allowing manipulation of SAML data without breaking the cryptographic signature and potentially bypassing authentication to SAML service providers. ...

9.8CVSS8.7AI score0.00374EPSS

CVE•added 2017/01/23 9:0 p.m.•72 views

CVE-2016-5697

CVE-2016-5697 concerns the Ruby-saml library before version 1.3.0, where improper handling of SAML signatures allows XML signature wrapping attacks via unspecified vectors. The vulnerability can enable an unauthenticated attacker to impersonate a user by abusing how SAML responses are validated (...

7.5CVSS7.3AI score0.00416EPSS

CVE•added 2023/05/27 12:0 a.m.•60 views

CVE-2015-20108

The CVE-2015-20108 issue affects the ruby-saml gem prior to 1.0.0, where xml_security.rb enables XPath injection and code execution because prepared statements are not used. Affected component: ruby-saml XML security handling. Root cause: lack of prepared statements in XPath processing leads to i...

9.8CVSS9.8AI score0.01183EPSS

CVE•added 2025/12/09 2:3 a.m.•16 views

CVE-2025-66568

CVE-2025-66568 affects the ruby-saml library (client-side SAML) with versions up to 1.12.4 vulnerable to authentication bypass via libxml2 canonicalization used by Nokogiri. On invalid XML input, canonicalization can return an empty string, causing DigestValue to be computed over that empty strin...

9.3CVSS6.8AI score0.00048EPSS

CVE•added 2025/12/09 1:55 a.m.•15 views

CVE-2025-66567

The CVE-2025-66567 issue affects ruby-saml, where versions up to and including 1.12.4 implement a SAML SSO client but contain an authentication bypass due to an incomplete fix for CVE-2025-25292. The root cause is a parser differential: ReXML and Nokogiri parse XML differently, producing differen...

9.3CVSS9.3AI score0.04077EPSS