Exploitation Summary
EIP tracks 1 public exploit for CVE-2025-25291. PoCs published by twypsy. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional Python-based PoC for CVE-2025-25291, which exploits a SAML authentication bypass vulnerability by modifying the SAML response's digest value to forge a valid assertion. The script parses an HTTP request containing a signed SAML response, modifies the username in the assertion, recalculates the digest, and outputs a forged SAML response ready for use in an authentication bypass attack.
Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Exploits (1)
This repository contains a functional Python-based PoC for CVE-2025-25291, which exploits a SAML authentication bypass vulnerability by modifying the SAML response's digest value to forge a valid assertion. The script parses an HTTP request containing a signed SAML response, modifies the username in the assertion, recalculates the digest, and outputs a forged SAML response ready for use in an authentication bypass attack.
Nuclei Templates (1)
http.title:"gitlab" || cpe:"cpe:2.3:a:gitlab:gitlab" || http.html:"gitlab enterprise edition" || http.html:"gitlab-ci.yml"
body="gitlab enterprise edition" || body="gitlab-ci.yml" || title="gitlab"
References (13)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H