Skip to content

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Critical severity GitHub Reviewed Published Mar 12, 2025 in omniauth/omniauth-saml • Updated May 22, 2025

Package

bundler omniauth-saml (RubyGems)

Affected versions

>= 2.2.0, < 2.2.3
>= 2.0.0, < 2.1.3
< 1.10.6

Patched versions

2.2.3
2.1.3
1.10.6

Description

Summary

There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.

The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.

Please upgrade the ruby-saml requirement to v1.18.0.

Impact

Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

References

@bufferoverflow bufferoverflow published to omniauth/omniauth-saml Mar 12, 2025
Published to the GitHub Advisory Database Mar 12, 2025
Reviewed Mar 12, 2025
Last updated May 22, 2025

Severity

Critical

EPSS score

Weaknesses

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-hw46-3hmr-x9xv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.