CVE-2025-25293
published 2025-03-12CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.36%
68.2th percentile
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | < ruby-saml 1.11.0-1+deb11u2 (bullseye) | ruby-saml 1.11.0-1+deb11u2 (bullseye) |
| omniauth | omniauth_saml | < 1.10.6 | 1.10.6 |
| omniauth | omniauth_saml | >= 2.0.0 < 2.1.3 | 2.1.3 |
| omniauth | omniauth_saml | >= 2.2.0 < 2.2.3 | 2.2.3 |
| onelogin | ruby-saml | < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1+deb11u2 | 1.11.0-1+deb11u2 |
| onelogin | ruby-saml | >= 0 < 1.12.4 | 1.12.4 |
| onelogin | ruby-saml | >= 0 < 1.1.2-1ubuntu1+esm2 | 1.1.2-1ubuntu1+esm2 |
| onelogin | ruby-saml | >= 0 < 1.7.2-1ubuntu0.1~esm2 | 1.7.2-1ubuntu0.1~esm2 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1ubuntu0.1+esm1 | 1.11.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.13.0-1ubuntu0.1+esm1 | 1.13.0-1ubuntu0.1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.15.0-1ubuntu0.24.04.1+esm1 | 1.15.0-1ubuntu0.24.04.1+esm1 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | >= 1.13.0 < 1.18.0 | 1.18.0 |
| saml-toolkits | ruby-saml | < 1.12.4 | 1.12.4 |
| saml-toolkits | ruby-saml | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
RubySAML vulnerabilities
vendor_ubuntu·2025-04-02·CVSS 9.8
CVE-2025-25292 [CRITICAL] RubySAML vulnerabilities
Title: RubySAML vulnerabilities
Summary: Several security issues were fixed in ruby-saml.
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-25293: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
vendor_debian·2025·CVSS 7.7
CVE-2025-25293 [HIGH] CVE-2025-25293: ruby-saml - ruby-saml provides security assertion markup language (SAML) single sign-on (SSO...
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.11.0-1+deb11u2)
OSV
ruby-saml vulnerabilities
osv·2025-04-02·CVSS 9.3
CVE-2025-25291 [CRITICAL] ruby-saml vulnerabilities
ruby-saml vulnerabilities
It was discovered that ruby-saml did not correctly handle XML parsing.
An attacker could possibly use this issue to perform a signature
wrapping attack and bypass authentication. (CVE-2025-25291
and CVE-2025-25292)
It was discovered that ruby-saml did not correctly handle decompressing
SAML responses. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-25293)
OSV
CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
osv·2025-03-12·CVSS 7.7
CVE-2025-25293 [HIGH] CVE-2025-25293: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
GHSA
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
ghsa·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] CWE-347 omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
OSV
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
osv·2025-03-12·CVSS 9.3
CVE-2025-25292 [CRITICAL] omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue
### Summary
There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
### Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
GHSA
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
ghsa·2025-03-12
CVE-2025-25293 [HIGH] CWE-400 Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
### Summary
ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses.
Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after.
### Impact
This issue may lead to remote Denial of Service (DoS).
OSV
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
osv·2025-03-12
CVE-2025-25293 [HIGH] Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
### Summary
ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses.
Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after.
### Impact
This issue may lead to remote Denial of Service (DoS).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-releasedhttps://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentialshttps://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349ahttps://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrqhttps://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xvhttps://securitylab.github.com/advisories/GHSL-2024-355_ruby-samlhttps://lists.debian.org/debian-lts-announce/2025/04/msg00011.htmlhttps://security.netapp.com/advisory/ntap-20250314-0008/
2025-03-12
Published