GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass.
The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week.
The problem as a result of the library not properly verifying the signature of the SAML Response. SAML, short for Security Assertion Markup Language, is a protocol that enables single sign-on (SSO) and exchange of authentication and authorization data across multiple apps and websites.
"An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory. "This would allow the attacker to log in as arbitrary user within the vulnerable system."
It's worth noting the flaw also impacts omniauth-saml, which shipped an update of its own (version 2.2.1) to upgrade ruby-saml to version 1.17.
The latest patch from GitLab is designed to update the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This includes versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As mitigations, GitLab is urging users of self-managed installations to enable two-factor authentication (2FA) for all accounts and disallow the SAML two-factor bypass option.
GitLab makes no mention of the flaw being exploited in the wild, but it has provided indicators of attempted or successful exploitation, suggesting that threat actors may be actively trying to capitalize on the shortcomings to gain access to susceptible GitLab instances.
"Successful exploitation attempts will trigger SAML related log events," it said. "A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation."
"Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit."
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a recently disclosed critical bug impacting Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), based on evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by October 9, 2024, to protect their networks against active threats.
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
HighCWE-772 Missing Release of Resource after Effective Lifetime
CWE-303 Incorrect Implementation of Authentication Algorithm
CWE-435 Improper Interaction Between Multiple Correctly-Behaving Entities
Free online web security scanner