Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were found in ruby-saml up to version 1.17.0. Attackers with a valid signature can log in as any user, creating a potential account takeover risk. GitHub plans to use open source libraries for SAML authentication but faced vulnerabilities like CVE-2024-45409 in ruby-saml. A parser differential allowed exploitation, leading to creation of fake assertions and user impersonation. While a fix for the issue is underway, the recommendation is to update ruby-saml to version 1.18.0. The complexity of SAML responses and XML signatures makes securing implementations challenging.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/