[DRE-maint] Bug#1100441: ruby-saml: CVE-2025-25291 CVE-2025-25292 CVE-2025-25293

Salvatore Bonaccorso carnil at debian.org
Thu Mar 13 21:54:40 GMT 2025 

Source: ruby-saml
Version: 1.17.0-1
Severity: grave
Tags: upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org

Hi,

The following vulnerabilities were published for ruby-saml.

CVE-2025-25291[0]:
| ruby-saml provides security assertion markup language (SAML) single
| sign-on (SSO) for Ruby. An authentication bypass vulnerability was
| found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a
| parser differential. ReXML and Nokogiri parse XML differently; the
| parsers can generate entirely different document structures from the
| same XML input. That allows an attacker to be able to execute a
| Signature Wrapping attack. This issue may lead to authentication
| bypass. Versions 1.12.4 and 1.18.0 fix the issue.


CVE-2025-25292[1]:
| ruby-saml provides security assertion markup language (SAML) single
| sign-on (SSO) for Ruby. An authentication bypass vulnerability was
| found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a
| parser differential. ReXML and Nokogiri parse XML differently, the
| parsers can generate entirely different document structures from the
| same XML input. That allows an attacker to be able to execute a
| Signature Wrapping attack. This issue may lead to authentication
| bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.


CVE-2025-25293[2]:
| ruby-saml provides security assertion markup language (SAML) single
| sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-
| saml is susceptible to remote Denial of Service (DoS) with
| compressed SAML responses. ruby-saml uses zlib to decompress SAML
| responses in case they're compressed. It is possible to bypass the
| message size check with a compressed assertion since the message
| size is checked before inflation and not after. This issue may lead
| to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix
| the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-25291
    https://www.cve.org/CVERecord?id=CVE-2025-25291
[1] https://security-tracker.debian.org/tracker/CVE-2025-25292
    https://www.cve.org/CVERecord?id=CVE-2025-25292
[2] https://security-tracker.debian.org/tracker/CVE-2025-25293
    https://www.cve.org/CVERecord?id=CVE-2025-25293

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-ruby-extras-maintainers mailing list