N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54572

GHSA ID

GHSA-rrqh-93c8-j966

EPSS Score

CWE

CWE-400

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54572

CVE-2025-54572: Ruby SAML DOS vulnerability with large SAML response

Summary

A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.

Details

ruby-saml includes a message_max_bytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

      def decode_raw_saml(saml, settings = nil)
        return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block.

        settings = OneLogin::RubySaml::Settings.new if settings.nil?
        if saml.bytesize > settings.message_max_bytesize
          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
        end

        decoded = decode(saml)
        ...
      end

The vulnerability is in the execution order. Prior to checking bytesize the base64_encoded? function performs regex matching on the entire input string:

!!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)

Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

Excessive memory consumption
High CPU utilization
Application slowdown or unresponsiveness
Complete application crash in severe cases
Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled are vulnerable.

Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

def decode_raw_saml(saml, settings = nil)
  settings = OneLogin::RubySaml::Settings.new if settings.nil?

  if saml.bytesize > settings.message_max_bytesize
    raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
  end
  
  return saml unless base64_encoded?(saml)
  decoded = decode(saml)
  ...
end

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54572

GHSA ID

GHSA-rrqh-93c8-j966

EPSS Score

CWE

CWE-400

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ruby-saml	rubygems	< 1.18.1	1.18.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis began by examining the provided commit 38ef5dd1ce17514e202431f569c4f5633e6c2709. The commit patch clearly shows a change in the order of operations within the decode_message function in lib/ruby_saml/xml/decoder.rb. Specifically, the call to base64_encoded?(message) was moved to after the message size check (message.bytesize > max_bytesize). The vulnerability description explains that the base64_encoded? method performs a resource-intensive regular expression match. By performing this operation before validating the input size, an attacker could provide a very large input string, causing the application to hang while processing the regex, leading to a Denial of Service. The identified vulnerable function, RubySaml::XML::Decoder.decode_message, is the exact location where this flawed logic existed. The patch directly addresses this by ensuring the size limit is enforced before any expensive processing occurs.

Vulnerable functions

RubySaml::XML::Decoder.decode_message

lib/ruby_saml/xml/decoder.rb

The vulnerability exists because the `decode_message` function calls `base64_encoded?` before checking the size of the input message. The `base64_encoded?` function uses a regular expression to validate the input. When a very large, non-Base64 encoded string is passed as the `message`, the regex matching consumes excessive CPU and memory, leading to a denial-of-service condition. The patch mitigates this by moving the size check before the call to `base64_encoded?`.

WAF Protection Rules

WAF Rule

### Summ*ry * **ni*l-o*-s*rvi** vuln*r**ility *xists in ru*y-s*ml *v*n wit* t** m*ss***_m*x_*yt*siz* s*ttin* *on*i*ur**. T** vuln*r**ility o**urs ****us* t** S*ML r*spons* is v*li**t** *or **s*** *orm*t prior to ****kin* t** m*ss*** siz*, l***in* to

Reasoning

T** vuln*r**ility *n*lysis ****n *y *x*minin* t** provi*** *ommit `****************************************`. T** *ommit p*t** *l**rly s*ows * ***n** in t** or**r o* op*r*tions wit*in t** `***o**_m*ss***` *un*tion in `li*/ru*y_s*ml/xml/***o**r.r*`. S

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-54572: Ruby SAML DOS vulnerability with large SAML response

Summary

Details

Impact

Potential Solution

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI