Ruby SAML CVE-2024-45409: As bad as it gets and hiding in plain sight

On September 10th, 2024, a critical security flaw (CVE-2024-45409) was disclosed in Ruby-SAML and OmniAuth-SAML libraries, allowing complete authentication bypass. This vulnerability has the highest possible score of 10 on GitHub's CVE rubric and a 9.8 NIST base score. The flaw enables an attacker to log in as any user, including administrators. It remained undiscovered for over a decade in a popular open-source library used for authentication. GitLab has released patches for its community and enterprise editions, but users must update their systems immediately to mitigate the vulnerability. This incident highlights the challenges of maintaining open-source projects and the need for regular security audits and trusted security experts like WorkOS.