ruby-saml
RubyGems9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting ruby-samlpage 1 of 1
- CVE-2015-20108CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.02023-05-27
vulnerable: 0.0.5 ... 0.9.4 (53 versions)
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
- CVE-2016-5697HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.02017-01-23
vulnerable: 0.0.5 ... 1.2.0 (58 versions)
Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping attacks via unspecified vectors.
- CVE-2017-11428HIGHCVSS 7.7EG 7.7✓ Fixed in 1.7.02019-04-17
vulnerable: 0.0.5 ... 1.6.2 (68 versions)
OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature…
- CVE-2024-45409CRITICALCVSS 10.0EG 10.0✓ Fixed in 1.17.02024-09-10
vulnerable: 1.13.0, 1.14.0, 1.15.0, 1.16.0
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed…
- CVE-2025-25291CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.12.42025-03-12
vulnerable: 0.0.5 ... 1.9.0 (81 versions)
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri …
- CVE-2025-25292CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.18.02025-03-12
vulnerable: 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri …
- CVE-2025-54572MEDIUMCVSS 6.9EG 0.0✓ Fixed in 1.18.12025-07-30
vulnerable: 0.0.5 ... 1.9.0 (88 versions)
The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability…
- CVE-2025-66567CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.18.02025-12-09
vulnerable: 0.0.5 ... 1.9.0 (87 versions)
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri…
- CVE-2025-66568CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.18.02025-12-09
vulnerable: 0.0.5 ... 1.9.0 (87 versions)
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformati…
Check whether ruby-saml is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for ruby-saml CVEs against the assets you own.
Start Free Scan →