ghsa-rrqh-93c8-j966
Vulnerability from github
Published
2025-07-30 13:20
Modified
2025-11-03 21:34
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
Ruby SAML DOS vulnerability with large SAML response
Details

Summary

A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.

Details

ruby-saml includes a message_max_bytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

```ruby def decode_raw_saml(saml, settings = nil) return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block.

    settings = OneLogin::RubySaml::Settings.new if settings.nil?
    if saml.bytesize > settings.message_max_bytesize
      raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
    end

    decoded = decode(saml)
    ...
  end

```

The vulnerability is in the execution order. Prior to checking bytesize the base64_encoded? function performs regex matching on the entire input string:

ruby !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)

Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

  • Excessive memory consumption
  • High CPU utilization
  • Application slowdown or unresponsiveness
  • Complete application crash in severe cases
  • Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled are vulnerable.

Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

```ruby def decode_raw_saml(saml, settings = nil) settings = OneLogin::RubySaml::Settings.new if settings.nil?

if saml.bytesize > settings.message_max_bytesize raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected") end

return saml unless base64_encoded?(saml) decoded = decode(saml) ... end ```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-30T13:20:05Z",
    "nvd_published_at": "2025-07-30T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.\n\n### Details\n`ruby-saml` includes a `message_max_bytesize` setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:\n\nhttps://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb\n\n```ruby\n      def decode_raw_saml(saml, settings = nil)\n        return saml unless base64_encoded?(saml) # \u003c--- Issue here. Should be moved after next code block.\n\n        settings = OneLogin::RubySaml::Settings.new if settings.nil?\n        if saml.bytesize \u003e settings.message_max_bytesize\n          raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\")\n        end\n\n        decoded = decode(saml)\n        ...\n      end\n```\n\nThe vulnerability is in the execution order. Prior to checking bytesize the `base64_encoded?` function performs regex matching on the entire input string:\n\n```ruby\n!!string.gsub(/[\\r\\n]|\\\\r|\\\\n|\\s/, \"\").match(BASE64_FORMAT)\n```\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nWhen successfully exploited, this vulnerability can lead to:\n\n- Excessive memory consumption\n- High CPU utilization\n- Application slowdown or unresponsiveness\n- Complete application crash in severe cases\n- Potential denial of service for legitimate users\n\nAll applications using `ruby-saml` with SAML configured and enabled are vulnerable.\n\n### Potential Solution\n\nReorder the validation steps to ensure max bytesize is checked first\n\n```ruby\ndef decode_raw_saml(saml, settings = nil)\n  settings = OneLogin::RubySaml::Settings.new if settings.nil?\n\n  if saml.bytesize \u003e settings.message_max_bytesize\n    raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\")\n  end\n  \n  return saml unless base64_encoded?(saml)\n  decoded = decode(saml)\n  ...\nend\n```",
  "id": "GHSA-rrqh-93c8-j966",
  "modified": "2025-11-03T21:34:17Z",
  "published": "2025-07-30T13:20:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/pull/770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/38ef5dd1ce17514e202431f569c4f5633e6c2709"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SAML-Toolkits/ruby-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-54572.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby SAML DOS vulnerability with large SAML response"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.