GHSL-2024-355: DoS in ruby-saml - CVE-2025-25293

Coordinated Disclosure Timeline

2024-12-13: Vulnerability was reported via GitHub’s private vulnerability reporting feature.
2024-12-13: A potential fix is proposed by the maintainer.
2025-03-12: Fixed versions of ruby-saml are released (in combination with fixes for the ruby-saml authentication bypasses).

Summary

ruby-saml was susceptible to remote Denial of Service (DoS) with compressed SAML responses.

Project

ruby-saml

Tested Version

v1.17.0

Details

Remote Denial of Service (DoS) with compressed SAML responses (`GHSL-2024-355`)

Ruby-saml uses zlib to decompress SAML responses in case they’re compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after:

if saml.bytesize > settings.message_max_bytesize
    raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
end

decoded = decode(saml)
begin
    inflate(decoded)
rescue
    decoded
end

The default value for message_max_bytesize is 250000 (bytes). Using the deflate compression an attacker can make use of compression ratio of around 1:1000. So, the decompressed message is around 250 MB in size. This then leads to a waste of CPU resources and memory, mostly due to the XML processing afterwards, not due to the decompression itself.

Impact

This issue may lead to remote Denial of Service (DoS).

CVE

CVE-2025-25293

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-355 in any communication regarding this issue.