Home > Vulnerability Database > CVE-2025-25293

Mend.io Vulnerability Database

CVE-2025-25293

Good to know:

Date: March 12, 2025

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Severity Score

7.5

Related Resources (16)

Url: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0

Url: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4

Url: https://github.com/SAML-Toolkits/ruby-saml

Url: https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1

Url: https://security-tracker.debian.org/tracker/CVE-2025-25293

Url: https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml

Url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25293.yml

Url: https://security.netapp.com/advisory/ntap-20250314-0008/

Url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv

Url: https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a

Url: https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials

Url: https://security.netapp.com/advisory/ntap-20250314-0008

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25293

Url: https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released

Url: https://www.mend.io/vulnerability-database/CVE-2025-25293

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version ruby-saml - 1.18.0;ruby-saml - 1.12.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25293

Good to know:

Date: March 12, 2025

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?