Headline

GHSA-hw46-3hmr-x9xv: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Summary

There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.

The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.

Please upgrade the ruby-saml requirement to v1.18.0.

Impact

Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

2 months ago

ghsa

Open in Source

#vulnerability #ddos #git #auth #ruby

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Critical severity GitHub Reviewed Published Mar 12, 2025 in omniauth/omniauth-saml • Updated Mar 12, 2025

ghsa: Latest News

GHSA-9fwj-9mjf-rhj3: laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

2 days ago

ghsa

GHSA-2f4r-34m4-3w8q: Auth0 Wordpress plugin Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

2 days ago

ghsa

GHSA-9wg9-93h9-j8ch: Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

2 days ago

ghsa

GHSA-g98g-r7gf-2r25: Forgeable Encrypted Session Cookie in Apps Using Auth0-PHP SDK

2 days ago

ghsa

GHSA-99pm-ch96-ccp2: Flask-AppBuilder open redirect vulnerability using HTTP host injection

2 days ago

ghsa