Hello,
The University Information Security Office (UISO) has been alerted to a high-severity vulnerability affecting Open Security Assertion Markup Language (Open SAML), SimpleSAMLphp, and Ruby-SAML. This vulnerability could allow signature confusion, potentially leading to Single Sign-On (SSO) forgery or impersonation attacks. Any implementation using these libraries may be affected.
Affected Versions:
- OpenSAML: Versions prior to 3.3.1
- SimpleSAMLphp: Versions prior to 2.3.7
- Ruby-SAML: Versions prior to 1.12.4 and 1.18.0
Note: The SAMLauth Drupal module and the miniorange-saml-20-single-sign-on WordPress plugin are not affected and do not require action.
Required Action:
To mitigate this vulnerability, update to the latest versions as soon as possible:
- OpenSAML: 3.3.1
- SimpleSAMLphp: 2.3.7
- Ruby-SAML: 1.12.4 or 1.18.0
If you have any questions, please contact uiso@iu.edu.
References
- SimpleSAMLphp SAML2 library vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2025-27773
- Ruby-SAML vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2025-25291
- Ruby-SAML vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2025-25292
Thank you for your prompt attention to this issue.
–IT Community Partnerships on behalf of University Information Security Office (UISO)