Pierluigi Paganini March 13, 2025

GitLab addressed two critical authentication bypass vulnerabilities in Community Edition (CE) and Enterprise Edition (EE).

GitLab released security updates to address critical vulnerabilities in Community Edition (CE) and Enterprise Edition (EE). The company addressed nine vulnerabilities, including the two critical ruby-saml authentication bypass issues respectively tracked as CVE-2025-25291 and CVE-2025-25292.

GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2 addressed the issue. GitLab.com is already patched.

“GitLab has remediated two privately disclosed security issues (CVE-2025-25291, CVE-2025-25292) identified in the ruby-saml library which GitLab uses when SAML SSO authentication is enabled at the instance or group level.” reads the advisory published by the company. “On GitLab CE/EE instances using SAML authentication, under certain circumstances, an attacker with access to a valid signed SAML document from the IdP could authenticate as another valid user within the environment’s SAML IdP.”

Attackers with a valid signed SAML document can impersonate users within the same SAML IdP, risking data breaches and privilege escalation.

“Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.” reads a technical analysis of the two critical flaws. In other words, it could be used for an account takeover attack.”

GitLab Dedicated customers receive automatic updates, while self-managed users must apply updates manually.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.” continues the advisory. “When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

GitHub doesn’t use ruby-saml for authentication but found its vulnerabilities in GitLab and alerted their security team to mitigate potential attacks.

“GitHub doesn’t currently use ruby-saml for authentication, but began evaluating the use of the library with the intention of using an open source library for SAML authentication once more. This library is, however, used in other popular projects and products.” continues the analysis. “We discovered an exploitable instance of this vulnerability in GitLab, and have notified their security team so they can take necessary actions to protect their users against potential attacks.”

Below is the full list of flaws addressed by the company:

Customers unable to update GitLab CE/EE should enable two-factor authentication, disable SAML two-factor bypass, and require admin approval for new users.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)