24h | 7d | 30d

Overview

  • SAML-Toolkits
  • ruby-saml

12 Mar 2025
Published
14 Mar 2025
Updated

CVSS v4.0
HIGH (8.8)
EPSS
0.04%

KEV

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

Statistics

  • 5 Posts
  • 42 Interactions

Fediverse

Profile picture

In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at about.gitlab.com/releases/2025

  • 11
  • 9
  • 18 hours ago
Profile picture

There were a couple of CVEs yesterday for ruby-saml that you may want to look into.

github.com/SAML-Toolkits/ruby-

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

nvd.nist.gov/vuln/detail/CVE-2

github.com/SAML-Toolkits/ruby-

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

nvd.nist.gov/vuln/detail/CVE-2

  • 6
  • 4
  • 23 hours ago
Profile picture

Related to these, GitLab had a critical patch release yesterday to address them.

about.gitlab.com/releases/2025

GitLab has remediated two privately disclosed security issues (CVE-2025-25291, CVE-2025-25292) identified in the ruby-saml library which GitLab uses when SAML SSO authentication is enabled at the instance or group level. These issues have been remediated on GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.

  • 2
  • 2
  • 23 hours ago
Profile picture

And a writeup by GitHub on it: github.blog/security/sign-in-a

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user. In other words, it could be used for an account takeover attack. Users of ruby-saml should update to version 1.18.0. References to libraries making use of ruby-saml (such as omniauth-saml) need also be updated to a version that reference a fixed version of ruby-saml.

  • 2
  • 0
  • 23 hours ago
Profile picture

Just stumbled across something kinda scary... SAML authentication issues! Now, I know it sounds super technical, but honestly, this affects ANYONE using Single Sign-On. Seriously!

Think about logging into Netflix, Google, all that stuff – a lot of it uses SAML. What if someone could just waltz right in pretending to be you? SAML's basically the language websites use to confirm you are who you say you are. And Single Sign-On (SSO) makes it so you only log in once to access everything.

Now, about CVEs, they're like wanted posters for security flaws. CVE-2025-25291, CVE-2025-25292, CVE-2025-25293 are the numbers to remember. The problem lies in how XML is being interpreted. Two programs, same code, totally different results – NOT GOOD. Imagine two bouncers checking the same ID, but one lets everyone in, and the other doesn't. Total chaos!

As a pentester, I see these "parser differentials" way more often than I'd like. The devil's always in the details, right?

Big deal? HUGE. Account Takeover is totally possible! Hackers could swipe your identity. This affects the ruby-saml library – which is frequently used in web applications. Affected versions: < 1.12.4 and >= 1.13.0, < 1.18.0.

Huge shoutout to GitHub Security Lab for finding this! They're lifesavers.

Good news, though! Updates are here: ruby-saml 1.12.4 and 1.18.0.

So, check if your web apps are using ruby-saml. And if they are, UPDATE THEM. Like, NOW. This isn't a joke.

Also, regular pentests are worth their weight in GOLD. Automated tools often miss stuff like this.

Do you use SAML? What are your experiences with it? How do you secure your web applications? Ever run into similar parsing issues? Let's share info and help keep everyone safe!

  • 4
  • 2
  • 19 hours ago

Overview

  • SAML-Toolkits
  • ruby-saml

12 Mar 2025
Published
14 Mar 2025
Updated

CVSS v4.0
HIGH (8.8)
EPSS
0.04%

KEV

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Statistics

  • 5 Posts
  • 42 Interactions

Fediverse

Profile picture

In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at about.gitlab.com/releases/2025

  • 11
  • 9
  • 18 hours ago
Profile picture

There were a couple of CVEs yesterday for ruby-saml that you may want to look into.

github.com/SAML-Toolkits/ruby-

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

nvd.nist.gov/vuln/detail/CVE-2

github.com/SAML-Toolkits/ruby-

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

nvd.nist.gov/vuln/detail/CVE-2

  • 6
  • 4
  • 23 hours ago
Profile picture

Related to these, GitLab had a critical patch release yesterday to address them.

about.gitlab.com/releases/2025

GitLab has remediated two privately disclosed security issues (CVE-2025-25291, CVE-2025-25292) identified in the ruby-saml library which GitLab uses when SAML SSO authentication is enabled at the instance or group level. These issues have been remediated on GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.

  • 2
  • 2
  • 23 hours ago
Profile picture

And a writeup by GitHub on it: github.blog/security/sign-in-a

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user. In other words, it could be used for an account takeover attack. Users of ruby-saml should update to version 1.18.0. References to libraries making use of ruby-saml (such as omniauth-saml) need also be updated to a version that reference a fixed version of ruby-saml.

  • 2
  • 0
  • 23 hours ago
Profile picture

Just stumbled across something kinda scary... SAML authentication issues! Now, I know it sounds super technical, but honestly, this affects ANYONE using Single Sign-On. Seriously!

Think about logging into Netflix, Google, all that stuff – a lot of it uses SAML. What if someone could just waltz right in pretending to be you? SAML's basically the language websites use to confirm you are who you say you are. And Single Sign-On (SSO) makes it so you only log in once to access everything.

Now, about CVEs, they're like wanted posters for security flaws. CVE-2025-25291, CVE-2025-25292, CVE-2025-25293 are the numbers to remember. The problem lies in how XML is being interpreted. Two programs, same code, totally different results – NOT GOOD. Imagine two bouncers checking the same ID, but one lets everyone in, and the other doesn't. Total chaos!

As a pentester, I see these "parser differentials" way more often than I'd like. The devil's always in the details, right?

Big deal? HUGE. Account Takeover is totally possible! Hackers could swipe your identity. This affects the ruby-saml library – which is frequently used in web applications. Affected versions: < 1.12.4 and >= 1.13.0, < 1.18.0.

Huge shoutout to GitHub Security Lab for finding this! They're lifesavers.

Good news, though! Updates are here: ruby-saml 1.12.4 and 1.18.0.

So, check if your web apps are using ruby-saml. And if they are, UPDATE THEM. Like, NOW. This isn't a joke.

Also, regular pentests are worth their weight in GOLD. Automated tools often miss stuff like this.

Do you use SAML? What are your experiences with it? How do you secure your web applications? Ever run into similar parsing issues? Let's share info and help keep everyone safe!

  • 4
  • 2
  • 19 hours ago

Overview

  • FreeType
  • FreeType

11 Mar 2025
Published
14 Mar 2025
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.06%

KEV

Description

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Statistics

  • 2 Posts
  • 1 Interaction

Fediverse

Profile picture

The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. thehackernews.com/2025/03/meta

  • 1
  • 0
  • 23 hours ago
Profile picture

🚨 Critical Alert: A severe vulnerability (CVE-2025-27363) in the FreeType font library, used by millions, is being actively exploited.

This flaw allows RCE, risking numerous systems. Affected platforms include Linux distributions, Android, and iOS.

Read: thehackernews.com/2025/03/meta

Update to FreeType version 2.13.3 immediately to protect your devices. Act now!

  • 0
  • 0
  • 1 hour ago

Overview

  • vim
  • vim

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
MEDIUM (4.4)
EPSS
0.04%

KEV

Description

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.

Statistics

  • 1 Post
  • 6 Interactions

Fediverse

Profile picture

I like this because it's vim and because the description.

github.com/vim/vim/security/ad

sev:MED 4,4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.

nvd.nist.gov/vuln/detail/CVE-2

  • 3
  • 3
  • 16 hours ago

Overview

  • snowflakedb
  • snowflake-jdbc

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
LOW (3.3)
EPSS
0.04%

KEV

Description

Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1.

Statistics

  • 1 Post
  • 6 Interactions

Fediverse

Profile picture

I don't care if it's a sev:LOW if I see Snowflake I'm calling it out.

WHERE YOUR DATA MEETS AI. SECURELY.

github.com/snowflakedb/snowfla

sev:LOW 3.3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1.

nvd.nist.gov/vuln/detail/CVE-2

  • 2
  • 4
  • 14 hours ago

Overview

  • str4d
  • ed25519-java

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
MEDIUM (4.3)
EPSS
0.04%

KEV

Description

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.

Statistics

  • 1 Post
  • 4 Interactions

Fediverse

Profile picture

Old vuln, new CVE. I know ed25519 is relatively popular with you nerds so while this should no longer be a problem ( I hope ) here is a CVE should you need it for tracking.

github.com/str4d/ed25519-java/

sev:MED 4.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.

cvedetails.com/cve/CVE-2020-36

  • 1
  • 3
  • 23 hours ago

Overview

  • Microsoft
  • Microsoft Dataverse

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
HIGH (7.2)
EPSS
0.05%

KEV

Description

Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

The dataverse was vulnerable, whatever that is. I read about it with a previous vuln and already forgot. Not listed as exploited. That they know of...

msrc.microsoft.com/update-guid

sev:CRIT 7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 2
  • 16 hours ago

Overview

  • Kubernetes
  • Kubelet

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
MEDIUM (6.5)
EPSS
Pending

KEV

Description

This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

I wrote up some notes on the new CVE in gitRepo volumes. TL;DR. is that I don't think it'll affect that many clusters as it's only relevant in quite specific circumstances, but I do think it's worth cluster operators blocking the use of gitRepo volumes unless they need them, as the feature is deprecated and not getting patches and has had two recent CVES.

raesene.github.io/blog/2025/03

  • 1
  • 2
  • Last hour

Overview

  • Apache Software Foundation
  • Apache Tomcat

10 Mar 2025
Published
12 Mar 2025
Updated

CVSS
Pending
EPSS
0.04%

KEV

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
This "analysis" by Wallarm - claiming active exploitation of CVE-2025-24813 Tomcat RCE - is wrong in multiple ways (maybe LLM slop?):

https://web.archive.org/web/20250314071219/https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

There is a PoC on GitHub too now - it improves my findings by directly invoking the session corresponding to the saved object so you don't have to wait for periodic refreshes:

https://github.com/iSee857/CVE-2025-24813-PoC/

This PoC will raise the EPSS score too.
  • 1
  • 1
  • 3 hours ago

Overview

  • Santesoft
  • Sante PACS Server

13 Mar 2025
Published
13 Mar 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.04%

KEV

Description

During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

BoF in PACS Server.

tenable.com/security/research/

`sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 1
  • 16 hours ago
Showing 1 to 10 of 25 CVEs