High severityNVD Advisory· Published Mar 12, 2025· Updated Nov 3, 2025
ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses
CVE-2025-25293
Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ruby-samlRubyGems | < 1.12.4 | 1.12.4 |
ruby-samlRubyGems | >= 1.13.0, < 1.18.0 | 1.18.0 |
Affected products
3- osv-coords2 versions
< 17.9.2+ 1 more
- (no CPE)range: < 17.9.2
- (no CPE)range: < 1.12.4
- Range: < 1.12.4
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-92rq-c8cf-prrqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25293ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2024-355_ruby-samlghsax_refsource_MISCADVISORY
- about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedghsax_refsource_MISCWEB
- github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialsghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349aghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrqghsax_refsource_CONFIRMWEB
- github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25293.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlghsaWEB
- security.netapp.com/advisory/ntap-20250314-0008ghsaWEB
News mentions
0No linked articles in our index yet.