CVE-2025-25293
Published: 12 March 2025
Summary
CVE-2025-25293 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Omniauth Omniauth Saml. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
ruby-saml is a Ruby library that implements SAML-based single sign-on. Prior to versions 1.12.4 and 1.18.0, the library decompresses incoming SAML responses using zlib without first validating the size of the inflated content. Because the message-size check occurs on the compressed data, an attacker can supply a small but highly compressible assertion that expands to a much larger payload after decompression, triggering excessive memory or CPU consumption.
An unauthenticated remote attacker who can reach a SAML endpoint can send a crafted compressed response to induce a denial of service. The vulnerability carries a CVSS 4.0 score of 7.7 with network attack vector, no required privileges or user interaction, and high impact on availability.
Public advisories, including GitLab’s March 2025 patch release and the ruby-saml project’s own release notes, direct users to upgrade to 1.12.4 or 1.18.0. The fixes add a post-inflation size check and are referenced in the corresponding GitHub commits.
The associated EPSS score has remained low, moving only from 0.0622 to a peak of 0.0670.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6413
Vulnerability details
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case…
more
they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in ruby-saml allows remote attackers to perform a denial of service by sending compressed SAML responses that bypass the pre-decompression size check and inflate excessively after decompression using zlib, exhausting resources via application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, testing, and installation of software fixes for flaws like the ruby-saml decompression size check bypass.
Implements protections specifically against denial-of-service attacks such as resource exhaustion from malicious compressed SAML responses.
Ensures resource availability by allocating resources with constraints to mitigate uncontrolled consumption during SAML response decompression.