ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses
Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ruby-saml prior to 1.12.4 and 1.18.0 is vulnerable to remote denial of service via compressed SAML responses that bypass message size checks.
Vulnerability
Overview
The vulnerability resides in how ruby-saml handles compressed SAML responses. The library uses zlib to decompress responses, but the message size check is performed on the compressed payload before inflation, not on the decompressed result. This allows an attacker to submit a small compressed assertion that expands to a much larger size, bypassing the intended size limit [1][3][4].
Exploitation
An attacker can exploit this by sending a crafted SAML response to a service provider using ruby-saml. No prior authentication is required, and the attack can be carried out remotely. The compressed assertion evades the size validation, leading to excessive memory allocation or CPU consumption during decompression [3].
Impact
Successful exploitation results in a denial of service (DoS) condition. The application may become unresponsive or crash, disrupting SAML-based single sign-on functionality for legitimate users [1][3].
Mitigation
The issue is fixed in ruby-saml versions 1.12.4 and 1.18.0. Users are advised to upgrade to one of these patched releases. No workaround is documented [1][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ruby-samlRubyGems | < 1.12.4 | 1.12.4 |
ruby-samlRubyGems | >= 1.13.0, < 1.18.0 | 1.18.0 |
Affected products
4- Range: < 1.12.4, < 1.18.0
- osv-coords2 versions
< 17.9.2+ 1 more
- (no CPE)range: < 17.9.2
- (no CPE)range: < 1.12.4
- SAML-Toolkits/ruby-samlv5Range: < 1.12.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- github.com/advisories/GHSA-92rq-c8cf-prrqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25293ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2024-355_ruby-samlghsax_refsource_MISCADVISORY
- about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedghsax_refsource_MISCWEB
- github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialsghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349aghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0ghsax_refsource_MISCWEB
- github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrqghsax_refsource_CONFIRMWEB
- github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25293.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlghsaWEB
- security.netapp.com/advisory/ntap-20250314-0008ghsaWEB
News mentions
0No linked articles in our index yet.