Cyber Resilience

CVE-2025-25293

HighPublic PoCDDoS

Published: 12 March 2025

Published
12 March 2025
Modified
03 November 2025
KEV Added
Patch
12 March 2025
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0622 91.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25293 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

ruby-saml is a Ruby library that implements SAML-based single sign-on. Prior to versions 1.12.4 and 1.18.0, the library decompresses incoming SAML responses using zlib without first validating the size of the inflated content. Because the message-size check occurs on the compressed data, an attacker can supply a small but highly compressible assertion that expands to a much larger payload after decompression, triggering excessive memory or CPU consumption.

An unauthenticated remote attacker who can reach a SAML endpoint can send a crafted compressed response to induce a denial of service. The vulnerability carries a CVSS 4.0 score of 7.7 with network attack vector, no required privileges or user interaction, and high impact on availability.

Public advisories, including GitLab’s March 2025 patch release and the ruby-saml project’s own release notes, direct users to upgrade to 1.12.4 or 1.18.0. The fixes add a post-inflation size check and are referenced in the corresponding GitHub commits.

The associated EPSS score has remained low, moving only from 0.0622 to a peak of 0.0670.

EU & UK References

Vulnerability details

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case…

more

they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability in ruby-saml allows remote attackers to perform a denial of service by sending compressed SAML responses that bypass the pre-decompression size check and inflate excessively after decompression using zlib, exhausting resources via application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2025-25292Same product: Omniauth Omniauth Saml
CVE-2025-25291Same product: Omniauth Omniauth Saml
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400

Affected Assets

omniauth
omniauth saml
≤ 1.10.6 · 2.0.0 — 2.1.3 · 2.2.0 — 2.2.3
onelogin
ruby-saml
≤ 1.12.4 · 1.13.0 — 1.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, testing, and installation of software fixes for flaws like the ruby-saml decompression size check bypass.

prevent

Implements protections specifically against denial-of-service attacks such as resource exhaustion from malicious compressed SAML responses.

prevent

Ensures resource availability by allocating resources with constraints to mitigate uncontrolled consumption during SAML response decompression.

References