CVE-2025-54572
published 2025-07-30CVE-2025-54572: The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in…
PriorityP338medium6.9CVSS 4.0
AVNACLATNPRNUINVCNVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.38%
30.2th percentile
The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | < ruby-saml 1.11.0-1+deb11u3 (bullseye) | ruby-saml 1.11.0-1+deb11u3 (bullseye) |
| onelogin | ruby-saml | >= 0 < 1.11.0-1+deb11u3 | 1.11.0-1+deb11u3 |
| onelogin | ruby-saml | >= 0 < 1.18.1 | 1.18.1 |
| saml-toolkits | ruby-saml | < 1.18.1 | 1.18.1 |
CVSS provenance
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Ruby SAML DOS vulnerability with large SAML response
osv·2025-07-30
CVE-2025-54572 [MEDIUM] Ruby SAML DOS vulnerability with large SAML response
Ruby SAML DOS vulnerability with large SAML response
### Summary
A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.
### Details
`ruby-saml` includes a `message_max_bytesize` setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:
https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb
```ruby
def decode_raw_saml(saml, settings = nil)
return saml unless base64_encoded?(saml) # settings.message_max
GHSA
Ruby SAML DOS vulnerability with large SAML response
ghsa·2025-07-30
CVE-2025-54572 [MEDIUM] CWE-400 Ruby SAML DOS vulnerability with large SAML response
Ruby SAML DOS vulnerability with large SAML response
### Summary
A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.
### Details
`ruby-saml` includes a `message_max_bytesize` setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:
https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb
```ruby
def decode_raw_saml(saml, settings = nil)
return saml unless base64_encoded?(saml) # settings.message_max
OSV
CVE-2025-54572: The Ruby SAML library is for implementing the client side of a SAML authorization
osv·2025-07-30·CVSS 6.9
CVE-2025-54572 [MEDIUM] CVE-2025-54572: The Ruby SAML library is for implementing the client side of a SAML authorization
The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1.
Debian
CVE-2025-54572: ruby-saml - The Ruby SAML library is for implementing the client side of a SAML authorizatio...
vendor_debian·2025·CVSS 6.9
CVE-2025-54572 [MEDIUM] CVE-2025-54572: ruby-saml - The Ruby SAML library is for implementing the client side of a SAML authorizatio...
The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.11.0-1+deb11u3)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/SAML-Toolkits/ruby-saml/commit/38ef5dd1ce17514e202431f569c4f5633e6c2709https://github.com/SAML-Toolkits/ruby-saml/pull/770https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.1https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966https://lists.debian.org/debian-lts-announce/2025/09/msg00001.html
2025-07-30
Published