FlagThis - #authbypass

GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.


References :

• Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
• securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
• socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
• The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
• BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
• Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
• securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
• www.scworld.com: Account hijacking possible with ruby-saml library bugs
• bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
• gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication

Classification:

• HashTags: #GitLab #AuthenticationBypass #SecurityUpdate
• Company: GitLab
• Target: GitLab users
• Product: GitLab CE/EE
• Feature: Authentication Bypass
• Malware: CVE-2025-25291 & CVE-2025-25292
• Type: Vulnerability
• Severity: Critical

Critical vulnerabilities in the ruby-saml library, tracked as CVE-2025-25291 and CVE-2025-25292, allow attackers to bypass authentication in applications using the library for Single Sign-On (SSO). These flaws stem from discrepancies in XML parsing between REXML and Nokogiri, potentially leading to account takeovers. An attacker possessing a valid signature from the targeted organization can craft SAML assertions to log in as any user.

The vulnerabilities were discovered during a security review by GitHub's Security Lab, prompting GitLab to release critical patches in versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition and Enterprise Edition. Organizations are urged to upgrade to the latest ruby-saml version to mitigate the risk of authentication bypass and account hijacking. The ruby-saml library is used in various applications and products, including GitLab.


References :

• www.scworld.com: Account hijacking possible with ruby-saml library bugs
• gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
• bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.

Classification:

• HashTags: #ruby-saml #authentication #accounttakeover
• Company: GitHub
• Target: Web Applications
• Product: ruby-saml
• Feature: SSO bypass
• Malware: ruby-saml vulns
• Type: Vulnerability
• Severity: Critical