Is omniauth-saml affected by GHSA-hw46-3hmr-x9xv?

RubyGems omniauth-saml is affected in >=2.2.0 =2.0.0 <2.1.3, <1.10.6.

Is GHSA-hw46-3hmr-x9xv being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

critical

GHSA-hw46-3hmr-x9xv

Q: Is GHSA-hw46-3hmr-x9xv being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

RubyGems · omniauth-saml

Summary

omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Severity: critical
Published: 2025-03-12

References

https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv
https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5
https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35

Related advisories

GHSA-cvp8-5r8g-fhvq — critical · RubyGems/omniauth-saml
CVE-2017-11430 — high · RubyGems/omniauth-saml

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.