CVE-2025-54572: Ruby SAML DOS vulnerability with large SAML response
Summary A denial-of-service vulnerability exists in ruby-saml even with the messagemaxbytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.
Details ruby-saml includes a messagemaxbytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:
https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/samlmessage.rb
ruby def decoderawsaml(saml, settings = nil) return saml unless base64encoded?(saml) # <--- Issue here. Should be moved after next code block.
settings = OneLogin::RubySaml::Settings.new if settings.nil? if saml.bytesize > settings.messagemaxbytesize raise ValidationError.new("Encoded SAML Message exceeds " + settings.messagemaxbytesize.tos + " bytes, so was rejected") end
decoded = decode(saml) ... end
The vulnerability is in the execution order. Prior to checking bytesize the base64encoded? function performs regex matching on the entire input string:
ruby !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64FORMAT)
Impact What kind of vulnerability is it? Who is impacted?
When successfully exploited, this vulnerability can lead to:
- Excessive memory consumption - High CPU utilization - Application slowdown or unresponsiveness - Complete application crash in severe cases - Potential denial of service for legitimate users
All applications using ruby-saml with SAML configured and enabled are vulnerable.
Potential Solution
Reorder the validation steps to ensure max bytesize is checked first
ruby def decoderawsaml(saml, settings = nil) settings = OneLogin::RubySaml::Settings.new if settings.nil?
if saml.bytesize > settings.messagemaxbytesize raise ValidationError.new("Encoded SAML Message exceeds " + settings.messagemaxbytesize.tos + " bytes, so was rejected") end return saml unless base64encoded?(saml) decoded = decode(saml) ... end
Other sources
The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the messagemaxbytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-54572?
CVE-2025-54572 is classified as a denial-of-service vulnerability.
How do I fix CVE-2025-54572?
To fix CVE-2025-54572, upgrade to ruby-saml version 1.18.1 or higher.
What causes the vulnerability in CVE-2025-54572?
The vulnerability in CVE-2025-54572 is caused by improper validation of SAML responses that leads to resource exhaustion.
Which versions of ruby-saml are affected by CVE-2025-54572?
All versions of ruby-saml prior to 1.18.1 are affected by CVE-2025-54572.
What are the potential impacts of exploiting CVE-2025-54572?
Exploiting CVE-2025-54572 may lead to denial of service due to resource exhaustion.