A significant vulnerability has been identified in GitHub Enterprise Servers, allowing attackers to bypass SAML authentication and log in as other user accounts.
This exploit leverages quirks in the libxml2 library, specifically related to XML entities, to deceive the verification process.
The vulnerability, designated as CVE-2025-23369 and this security flaw highlights the importance of robust security measures in authentication systems.
SAML (Security Assertion Markup Language) is a protocol used for exchanging authentication and authorization data between systems.
Security analyst at repz ret, hakivvi detected that it operates similarly to OAuth2/OpenID but instead of returning an access token, SAML provides a Response object containing user attributes like email and name.
While this Response is protected by a digital signature to prevent tampering.
http://idp.example.com/metadata.php
...
[email protected]
The Vulnerability
The vulnerability exploits an inconsistency in how XML entities are handled during the signature verification process.
By using an XML entity to define an ID attribute, an attacker can make the verification code mistakenly identify an arbitrary element (an Assertion) as the root element (Response).
.webp)
require 'Nokogiri'
xml = <<-XML
]>
http://idp.example.com/metadata.php
XML
doc = Nokogiri::XML(xml)
puts doc.xpath('//*[@ID=$uri or @wsu:Id=$uri]', {"wsu": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"}).firstThis code snippet shows that how the XPath query can return the Assertion element instead of the expected Response element due to the XML entity.
To exploit this vulnerability, an attacker crafts a SAML Response with an XML entity defining the ID of the Response element.
This entity is then referenced in the Assertion element, causing the verification code to mistakenly validate the signature against the Assertion instead of the Response.
.webp)
]>
The CVE-2025-23369 vulnerability shows the importance of thoroughly testing and securing authentication systems.
Not only that even it also highlights how subtle inconsistencies in XML parsing can lead to significant security breaches.
GitHub has addressed this issue, but it serves as a reminder for developers to scrutinize their authentication mechanisms closely.
Developers should thoroughly test XML parsing libraries to ensure that they handle entities correctly and prevent similar exploits.
They must also implement robust signature verification by checking signatures against the expected root element to avoid misidentification.
Besides this, regularly updating dependencies, such as keeping libraries like libxml2 current, helps mitigate known vulnerabilities.
By following these guidelines, developers can enhance the security of their SAML-based authentication systems.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free