GHSA-hw46-3hmr-x9xv

Source

https://github.com/advisories/GHSA-hw46-3hmr-x9xv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-hw46-3hmr-x9xv/GHSA-hw46-3hmr-x9xv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hw46-3hmr-x9xv

Related

Published

2025-03-12T19:42:58Z

Modified

2025-03-12T20:08:57.390878Z

Summary

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Details

Summary

There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.

The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.

Please upgrade the ruby-saml requirement to v1.18.0.

Impact

Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T19:42:58Z"
}

References

Affected packages

RubyGems / omniauth-saml

Package

Name: omniauth-saml
Purl: pkg:gem/omniauth-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.3

Affected versions

2.*

2.2.0

2.2.1

2.2.2

RubyGems / omniauth-saml

Package

Name: omniauth-saml
Purl: pkg:gem/omniauth-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.3

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.1.2

RubyGems / omniauth-saml

Package

Name: omniauth-saml
Purl: pkg:gem/omniauth-saml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.6

Affected versions

0.*

0.9.0

0.9.1

0.9.2

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.3.1

1.4.0

1.4.1

1.4.2

1.5.0

1.6.0

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5