The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
The Ruby-SAML library does not properly verify the cryptographic signature of the SAML Response returned by the identity provider (IdP). An attacker with access to any SAML document signed by the IdP can use it as a basis to craft their own SAML response or assertion with arbitrary content — including any user identity. The forged document is accepted by the vulnerable system as valid because signature verification is ineffective.
An unauthenticated attacker can log in as any user in a system using the vulnerable library, including as an administrator, leading to full account takeover and unauthorized access to protected resources.
Ruby-SAML should be updated to version 1.17.0 or 1.12.3, in which the vulnerability has been fixed. Users of the omniauth-saml library should update the Ruby-SAML dependency to a secure version according to recommendations published in the vendor's repository.
Ruby-SAML in versions <= 1.12.2 and >= 1.13.0 and <= 1.16.0; omniauth-saml library using vulnerable versions of Ruby-SAML
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NGitLab
APPGitlab17.3.0 – 17.3.3 (bez)< 16.11.1017.0.0 – 17.0.8 (bez)17.1.0 – 17.1.8 (bez)17.2.0 – 17.2.7 (bez)Omniauth Saml
APPOmniauth2.0.02.1.0≤ 1.10.3Onelogin Ruby Saml
APPOnelogin< 1.12.31.13.0 – 1.17.0 (bez)
Related vulnerabilities
GitLab: Przejęcie konta przez reset hasła na niezweryfikowany e-mail
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properl...
Authentication bypass w ruby-saml poprzez atak Signature Wrapping
Auth Bypass w ruby-saml przez atak Signature Wrapping (CVE-2025-66567)
Pominięcie uwierzytelnienia SAML SSO przez atak Signature Wrapping w ruby-saml