CVE-2025-25293
Published: 12 March 2025
Summary
CVE-2025-25293 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, testing, and installation of software fixes for flaws like the ruby-saml decompression size check bypass.
Implements protections specifically against denial-of-service attacks such as resource exhaustion from malicious compressed SAML responses.
Ensures resource availability by allocating resources with constraints to mitigate uncontrolled consumption during SAML response decompression.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in ruby-saml allows remote attackers to perform a denial of service by sending compressed SAML responses that bypass the pre-decompression size check and inflate excessively after decompression using zlib, exhausting resources via application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case…
more
they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Deeper analysisAI
CVE-2025-25293 is a remote Denial of Service (DoS) vulnerability in the ruby-saml library, which provides Security Assertion Markup Language (SAML) single sign-on (SSO) functionality for Ruby applications. The issue affects versions prior to 1.12.4 and 1.18.0. It stems from the library's use of zlib to decompress incoming SAML responses, where the message size check occurs before decompression rather than after. This allows a compressed assertion to bypass size limits, potentially leading to excessive resource consumption upon inflation.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption). A remote, unauthenticated attacker can exploit it by sending a specially crafted compressed SAML response to a vulnerable ruby-saml deployment. Successful exploitation results in a DoS condition, disrupting service availability without impacting confidentiality or integrity.
Mitigation is available through upgrading to ruby-saml versions 1.12.4 or 1.18.0, which address the flaw via changes documented in specific commits (acac9e9cc0b9a507882c614f25d41f8b47be349a and e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1). GitLab released version 17.9.2 on March 12, 2025, to patch affected instances, as noted in their advisory. Additional guidance appears in the ruby-saml release notes and a related GitHub security blog post.
Details
- CWE(s)