Security researcher Hakivvi has published an in-depth analysis of CVE-2025-23369 (CVSSv4 7.6), a vulnerability that allows attackers to bypass SAML authentication on GitHub Enterprise.
Security Assertion Markup Language (SAML) is a widely used single sign-on (SSO) protocol that allows users to authenticate with an Identity Provider (IdP), which then generates a SAML Response containing the user’s identity attributes. This response is digitally signed to ensure its integrity.
GitHub Enterprise, like many enterprise applications, relies on SAML authentication to manage user access. The security of this process hinges on the integrity of the SAML response and its cryptographic validation. However, the newly identified flaw undermines these security checks, allowing attackers to forge or manipulate authentication responses.
This vulnerability stems from quirks in the libxml2 library, which is used by GitHub Enterprise to parse SAML responses. By exploiting these quirks, an attacker can craft a malicious SAML response that bypasses the authentication checks and gains access to arbitrary accounts.
“With this inconsistency, we can make #referenced_node mistake our arbitrary element for the root element,” Hakivvi explains in his report.
The root cause of the vulnerability lies in the way libxml2 handles XML entities and the xmlNodeGetContent function. The researcher discovered that by using XML entities and manipulating the structure of the SAML response, they could trick the XPath query into selecting an attacker-controlled element instead of the root element. This allows the attacker to inject a malicious assertion that is then validated by the SAML library, bypassing the authentication process.
Hakivvi’s analysis provides a detailed breakdown of the vulnerability, including a proof-of-concept exploit and a root cause analysis. The researcher also delves into the internals of libxml2, explaining how the XPath engine and the xmlNodeGetContent function work, and how they can be manipulated to achieve the bypass.
Just finished my writeup about CVE-2025-23369, an interesting SAML authentication bypass on GitHub Enterprise Server I reported last year. you can read about it here: https://t.co/Ee61EoACtE pic.twitter.com/mYNjXhExlp
— hakim (@hakivvi) February 8, 2025
Since GitHub Enterprise is widely used by organizations for secure code hosting and collaboration, this vulnerability poses a significant risk. Attackers exploiting CVE-2025-23369 could:
- Gain unauthorized access to GitHub Enterprise accounts.
- Compromise private repositories, leaking sensitive source code and intellectual property.
- Escalate privileges within an organization’s GitHub environment.
Given the severity of this issue, organizations using GitHub Enterprise with SAML authentication enabled are strongly advised to review their authentication configurations and apply patches immediately.
GitHub has addressed the vulnerability in their latest update, and users are urged to update their systems as soon as possible.
Related Posts:
- Researchers Detail Ruby-SAML/GitLab Flaw (CVE-2024-45409) Allows SAML Authentication Bypass
- GitLab backports fix for CVE-2024-45409 to older versions
- GitHub Security Alerts has detected over 4 million vulnerabilities
- CVE-2024-45409 (CVSS 10): Critical Ruby-SAML Flaw Leaves User Accounts Exposed
- GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability
