GitHub Uncovers New ruby-saml Vulnerabilities Allowing Account Takeover Attacks

Introduction

Two high-severity vulnerabilities have been discovered in the open-source ruby-saml library, posing serious risks of account takeover attacks. Tracked as CVE-2025-25291 and CVE-2025-25292, these flaws allow attackers to bypass SAML (Security Assertion Markup Language) authentication protections, which are widely used for Single Sign-On (SSO) systems.

How the Attack Works

SAML enables users to access multiple applications with one set of credentials, making it a prime target for attackers. The newly discovered vulnerabilities stem from how two XML parsers, REXML and Nokogiri, process XML inputs differently, causing inconsistencies in document structure.

The Risk:

• Attackers can exploit this parser differential to perform a Signature Wrapping attack, enabling them to craft valid SAML assertions and bypass authentication.
• An attacker with a valid signature created with the target organization’s SAML validation key can manipulate SAML assertions and log in as any user.

Impact and Affected Versions

Affected ruby-saml versions:

• Versions before 1.12.4
• Versions 1.13.0 to 1.17.9

Severity:

• CVSS Score: 8.8/10
• Potential Impact: Full account takeover, unauthorized access, and remote denial-of-service (DoS).

GitHub, which reported the flaws, emphasized the need for immediate patching to prevent exploitation.

Mitigation Measures

• Update ruby-saml to versions 1.12.4 or 1.18.0 to fix the vulnerabilities.
• Regularly review and update SAML authentication systems to address emerging threats.
• Implement robust monitoring to detect unusual login patterns or access behaviours.

How Indian Cyber Security Solutions (ICSS) Helps

Indian Cyber Security Solutions (ICSS) supports businesses in mitigating complex authentication vulnerabilities and securing digital assets through:

• Vulnerability Assessment and Penetration Testing (VAPT): Identify and fix SAML and API security flaws.
• SAVE - Automated Vulnerability Scanning Tool: Continuous scanning to detect emerging authentication vulnerabilities.
• Advanced Threat Monitoring: Detect and respond to suspicious login attempts or account takeover threats.
• Security Awareness Training: Empower teams to recognize identity-based attacks and prevent breaches.

With a strong client portfolio and proven success stories, ICSS ensures safe transactions and robust defence against modern cyber threats.

?? Learn more: Indian Cyber Security Solutions

Conclusion

As SAML-based authentication becomes more widespread, vulnerabilities like these highlight the critical need for continuous monitoring and timely patching. By partnering with ICSS, businesses can strengthen their authentication systems and safeguard sensitive user accounts from takeover attacks.