GHSA-rrqh-93c8-j966
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrqh-93c8-j966
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rrqh-93c8-j966/GHSA-rrqh-93c8-j966.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rrqh-93c8-j966
- Aliases
- Published
- 2025-07-30T13:20:05Z
- Modified
- 2025-07-30T15:51:20.362142Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Ruby SAML DOS vulnerability with large SAML response
- Details
-
Summary
A denial-of-service vulnerability exists in ruby-saml even with the messagemaxbytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.
Details
ruby-samlincludes amessage_max_bytesizesetting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb
def decode_raw_saml(saml, settings = nil) return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block. settings = OneLogin::RubySaml::Settings.new if settings.nil? if saml.bytesize > settings.message_max_bytesize raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected") end decoded = decode(saml) ... endThe vulnerability is in the execution order. Prior to checking bytesize the
base64_encoded?function performs regex matching on the entire input string:!!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)Impact
What kind of vulnerability is it? Who is impacted?
When successfully exploited, this vulnerability can lead to:
- Excessive memory consumption
- High CPU utilization
- Application slowdown or unresponsiveness
- Complete application crash in severe cases
- Potential denial of service for legitimate users
All applications using
ruby-samlwith SAML configured and enabled are vulnerable.Potential Solution
Reorder the validation steps to ensure max bytesize is checked first
def decode_raw_saml(saml, settings = nil) settings = OneLogin::RubySaml::Settings.new if settings.nil? if saml.bytesize > settings.message_max_bytesize raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected") end return saml unless base64_encoded?(saml) decoded = decode(saml) ... end - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2025-07-30T13:20:05Z", "cwe_ids": [ "CWE-400" ], "nvd_published_at": "2025-07-30T14:15:29Z" }- References
-
- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
- https://nvd.nist.gov/vuln/detail/CVE-2025-54572
- https://github.com/SAML-Toolkits/ruby-saml/pull/770
- https://github.com/SAML-Toolkits/ruby-saml/commit/38ef5dd1ce17514e202431f569c4f5633e6c2709
- https://github.com/SAML-Toolkits/ruby-saml
- https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.1
Affected packages
RubyGems / ruby-saml
Package
- Name
- ruby-saml
- Purl
- pkg:gem/ruby-saml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.18.1