VYPR
High severityNVD Advisory· Published Mar 12, 2025· Updated Nov 3, 2025

ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses

CVE-2025-25293

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ruby-samlRubyGems
< 1.12.41.12.4
ruby-samlRubyGems
>= 1.13.0, < 1.18.01.18.0

Affected products

3

Patches

Vulnerability mechanics

References

14

News mentions

0

No linked articles in our index yet.