CVE-2024-45409

CRITICAL EXPLOITED NUCLEI LAB

ruby-saml <=1.12.2 and 1.13.0-1.16.0 - Unauthenticated SAML Signature Verification Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-45409 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including synacktiv, exploitintel. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-45409, which manipulates SAML responses by moving the signature into the assertion and inserting a malicious reference to bypass signature validation. The exploit parses a SAML response, modifies its structure, and outputs a crafted response that can be used for authentication bypass.

Description

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

Exploits (2)

nomisec WORKING POC 83 stars
by synacktiv · remote
https://github.com/synacktiv/CVE-2024-45409

This repository contains a functional exploit for CVE-2024-45409, which manipulates SAML responses by moving the signature into the assertion and inserting a malicious reference to bypass signature validation. The exploit parses a SAML response, modifies its structure, and outputs a crafted response that can be used for authentication bypass.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SAML-based authentication systems (specific software not explicitly mentioned)
No auth needed
Prerequisites: A valid SAML response file (raw or URL + Base64 encoded)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2024-45409

This repository contains a functional exploit for CVE-2024-45409, demonstrating an XML Signature Wrapping attack against ruby-saml to bypass SAML authentication. It includes multiple PoC scripts, a lab setup, and detailed technical analysis.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ruby-saml 1.13.0 – 1.16.0 and <= 1.12.2; omniauth-saml <= 1.10.3, 2.0.0 – 2.1.0; GitLab <= 16.11.10
No auth needed
Prerequisites: A legitimately signed SAML Response from the target IdP
devstral-2 · analyzed Mar 02, 2026 Full analysis →

Nuclei Templates (1)

GitLab - SAML Authentication Bypass
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: http.title:"GitLab"

References (8)

Core 8
Core References

Scores

CVSS v3 10.0
EPSS 0.4464
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

EIP LAB Lab screenshot
vulnerable docker pull ghcr.io/exploitintel/cve-2024-45409-vulnerable:latest

Details

VulnCheck KEV 2024-10-15
CWE
CWE-347
Status published
Products (7)
gitlab/gitlab < 16.11.10
omniauth/omniauth_saml 2.0.0
omniauth/omniauth_saml 2.1.0
omniauth/omniauth_saml < 1.10.3
onelogin/ruby-saml < 1.12.3
rubygems/ruby-saml 0 - 1.12.3RubyGems
rubygems/ruby-saml 1.13.0 - 1.17.0RubyGems
Published Sep 10, 2024
Tracked Since Feb 18, 2026