GHSA-66pp-5p9w-q87j: Shescape has potential environment variable exposure on Windows with CMD

GHSA-3p6v-hrg8-8qj7: @mozilla/readability Denial of Service through Regex

GHSA-5565-3c98-g6jc: WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

GHSA-7287-grhx-542x: Pixelfed may allow unauthorized actor to view private posts and private users

GHSA-qrv3-jc3h-f3m6: Frappe vulnerable to information disclosure leading to account takeover

### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.

The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.

Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.

### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

**omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue**

Critical severity GitHub Reviewed Published Mar 12, 2025 in omniauth/omniauth-saml • Updated Mar 12, 2025

Headline

GHSA-hw46-3hmr-x9xv: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue

Summary

Impact

ghsa: Latest News