CVE-2025-25293 Overview
CVE-2025-25293 is a Denial of Service (DoS) vulnerability affecting the ruby-saml library, a widely-used Ruby implementation for Security Assertion Markup Language (SAML) single sign-on (SSO) authentication. The vulnerability exists in how ruby-saml handles compressed SAML responses using zlib decompression. Prior to versions 1.12.4 and 1.18.0, attackers can bypass the message size validation check by sending specially crafted compressed SAML responses that expand to excessively large payloads after decompression.
Critical Impact
Remote attackers can cause Denial of Service by exploiting the message size check bypass with compressed SAML responses, potentially disrupting authentication services for applications relying on ruby-saml for SSO.
Affected Products
- onelogin ruby-saml (versions prior to 1.12.4 and 1.18.0)
- omniauth omniauth_saml
- GitLab (addressed in patch release 17.9.2)
Discovery Timeline
- 2025-03-12 - CVE-2025-25293 published to NVD
- 2025-03-12 - GitLab releases patch in version 17.9.2
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-25293
Vulnerability Analysis
The vulnerability stems from improper input validation (CWE-400: Uncontrolled Resource Consumption) in the SAML message processing flow. When ruby-saml receives a compressed SAML response, it performs message size validation before decompression rather than after. This ordering flaw creates a security gap where an attacker can craft a small compressed payload that passes the initial size check but expands to an extremely large message upon inflation.
The flaw affects the decode_raw_saml method in lib/onelogin/ruby-saml/saml_message.rb, which processes incoming SAML messages in HTTP-redirect binding scenarios. By exploiting compression algorithms' ability to achieve high compression ratios, an attacker can send payloads that consume excessive memory and CPU resources when decompressed, leading to service degradation or complete denial of service.
Root Cause
The root cause is the incorrect placement of the message size validation check in the SAML response processing pipeline. The original implementation checked the message size before calling the inflate() function to decompress the payload. This meant that a highly compressed malicious payload could easily pass the size check while still expanding to a resource-exhausting size after decompression. The vulnerability represents a classic decompression bomb (zip bomb) attack vector applied to SAML authentication flows.
Attack Vector
This vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can send specially crafted compressed SAML responses to any application using vulnerable versions of ruby-saml. The attack does not require any privileges and can be launched against publicly accessible SAML endpoints.
The attack flow involves:
- Crafting a SAML response that compresses to a small size but decompresses to an extremely large payload
- Sending the compressed response to the target application's SAML endpoint
- The application passes the pre-decompression size check
- Upon decompression, the expanded message consumes excessive system resources
- Service degradation or denial occurs as resources are exhausted
# Security patch from ruby-saml (v1.18.0 branch)
# Source: https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1
decoded = decode(saml)
begin
- inflate(decoded)
+ message = inflate(decoded)
rescue
- decoded
+ message = decoded
end
+ if message.bytesize > MAX_BYTE_SIZE
+ raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
+ end
+
+ message
end
# Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
Detection Methods for CVE-2025-25293
Indicators of Compromise
- Unusually high memory consumption on servers processing SAML authentication requests
- Spike in CPU utilization correlated with SAML endpoint traffic
- Application crashes or timeouts during SAML response processing
- Large volume of SAML requests from suspicious or unknown sources
Detection Strategies
- Monitor ruby-saml library versions in your application dependencies using software composition analysis (SCA) tools
- Implement application performance monitoring (APM) to detect resource exhaustion patterns on SAML endpoints
- Configure web application firewalls (WAF) to inspect and limit the size of compressed payloads in SAML responses
- Deploy intrusion detection systems (IDS) with rules to identify decompression bomb patterns
Monitoring Recommendations
- Set up alerts for abnormal memory growth patterns on authentication servers
- Monitor SAML endpoint response times for sudden degradation
- Track the ratio of compressed to decompressed payload sizes in SAML traffic
- Implement logging for SAML message processing failures and exceptions
How to Mitigate CVE-2025-25293
Immediate Actions Required
- Upgrade ruby-saml to version 1.12.4 or 1.18.0 or later immediately
- Update omniauth-saml to a version that uses the patched ruby-saml dependency
- For GitLab deployments, upgrade to version 17.9.2 or later
- Audit all applications using ruby-saml to identify vulnerable instances
- Consider implementing rate limiting on SAML endpoints as a temporary measure
Patch Information
The vulnerability has been addressed in ruby-saml versions 1.12.4 and 1.18.0. The fix moves the message size validation check to occur after decompression, ensuring that expanded payloads exceeding the configured maximum size are properly rejected. Security patches are available via the Ruby SAML Security Advisory GHSA-92rq-c8cf-prrq and OmniAuth SAML Security Advisory GHSA-hw46-3hmr-x9xv. Additional vendor-specific patches are available from GitLab Patch Release 17.9.2, Debian LTS, and NetApp Security Advisory.
Workarounds
- Implement network-level filtering to limit the size of incoming SAML requests before they reach the application
- Deploy a reverse proxy with payload size limits to reject oversized compressed content
- If possible, disable compressed SAML response handling temporarily until patching is complete
- Implement resource limits (memory and CPU) on application containers to prevent complete system exhaustion
# Example: Update ruby-saml gem to patched version
bundle update ruby-saml --conservative
# Verify the installed version
bundle show ruby-saml
# Should show version >= 1.12.4 or >= 1.18.0
# For Gemfile, ensure minimum version constraint:
# gem 'ruby-saml', '>= 1.18.0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
