CVE-2025-25291 Scanner

GitLab is a widely used DevOps platform that provides a comprehensive set of tools for software development, from version control and CI/CD pipelines to security scanning and deployment. It is used by organizations of all sizes to streamline software development workflows and enforce secure code practices. GitLab supports integration with external authentication services, including SAML-based single sign-on. This capability enables enterprises to centralize user authentication across their infrastructure. The platform is implemented in various deployment models, including self-managed and cloud-hosted solutions. Due to its widespread use in production environments, vulnerabilities affecting GitLab can have significant security implications.

This scanner identifies an authentication bypass vulnerability in GitLab that arises due to inconsistent parsing behavior in SAML XML processing. Specifically, ruby-saml versions prior to 1.12.4 and 1.18.0 were affected by a parser differential issue where ReXML and Nokogiri parsed the same XML differently. This inconsistency enables attackers to craft SAML responses that bypass signature verification. Exploiting this vulnerability can allow unauthorized users to impersonate legitimate accounts. The issue is critical because it undermines the trust model of single sign-on. GitLab versions using the vulnerable ruby-saml library are particularly at risk.

The vulnerability stems from the way ruby-saml processes SAML responses containing malicious XML payloads. Attackers exploit parser differences to conduct a Signature Wrapping attack, injecting a malicious XML structure while preserving a valid signature in a separate, unused part of the message. By manipulating SAML attributes such as `NameID` and `email`, attackers can forge authenticated sessions. This crafted SAML response is then POSTed to GitLab’s SAML callback endpoint at `/users/auth/saml/callback`. If successful, the attacker is granted authenticated access and receives a valid session cookie. GitLab instances relying on affected ruby-saml versions are susceptible to this bypass.

Exploitation of this vulnerability allows attackers to bypass authentication and access accounts without valid credentials. It may lead to full compromise of GitLab user accounts, including privileged administrative accounts. Once authenticated, attackers can view or modify code repositories, pipeline configurations, and secrets. Additionally, they can escalate their privileges further by modifying user roles or adding SSH keys. This poses a severe risk in enterprise environments where GitLab serves as a central DevOps platform. If exploited at scale, it could lead to widespread supply chain attacks.

REFERENCES

• https://portswigger.net/research/saml-roulette-the-hacker-always-wins
• https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
• https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
• https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9