CVE-2025-25293 – This vulnerability in ruby-saml allows remote a... (How to Fix)

Q: What is the severity of CVE-2025-25293?

CVE-2025-25293 has a CVSS score of 7.5 (HIGH). This vulnerability in ruby-saml allows remote attackers to cause Denial of Service (DoS) by sending specially crafted compressed SAML responses. The library checks message size before decompression, enabling attackers to bypass size limits and exhaust server resources. All applications using vulnerable versions of ruby-saml for SAML authentication are affected.

📋 TL;DR

This vulnerability in ruby-saml allows remote attackers to cause Denial of Service (DoS) by sending specially crafted compressed SAML responses. The library checks message size before decompression, enabling attackers to bypass size limits and exhaust server resources. All applications using vulnerable versions of ruby-saml for SAML authentication are affected.

💻 Affected Systems

Products:

ruby-saml
GitLab (via ruby-saml dependency)
Other Ruby applications using ruby-saml for SAML authentication

Versions: All versions prior to 1.12.4 and 1.18.0

Operating Systems: All operating systems running Ruby applications with vulnerable ruby-saml

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when SAML compression is enabled (default behavior). Applications must be processing SAML responses to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, preventing legitimate users from authenticating via SAML SSO.

🟠

Likely Case

Service degradation or temporary unavailability requiring restart of affected services.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place.

🌐 Internet-Facing: HIGH - SAML endpoints are typically internet-facing for SSO, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal SAML endpoints could still be targeted by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending a compressed SAML response to a vulnerable endpoint. No authentication needed if SAML endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.4 or 1.18.0

Vendor Advisory: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4

Restart Required: Yes

Instructions:

1. Update ruby-saml gem to version 1.12.4 or 1.18.0. 2. Update Gemfile to specify 'gem "ruby-saml", ">= 1.12.4"' or 'gem "ruby-saml", ">= 1.18.0"'. 3. Run 'bundle update ruby-saml'. 4. Restart application server.

🔧 Temporary Workarounds

Disable SAML response compression

all

Configure ruby-saml to reject compressed SAML responses entirely

Set 'settings.security[:reject_unsolicited_responses] = true' in SAML configuration
Set 'settings.security[:reject_compressed_responses] = true' if available

🧯 If You Can't Patch

Implement rate limiting on SAML authentication endpoints
Deploy WAF rules to detect and block suspicious compressed payloads to SAML endpoints

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show ruby-saml' to see installed version. If version is below 1.12.4 or 1.18.0, system is vulnerable.

Check Version:

bundle show ruby-saml | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+"

Verify Fix Applied:

After update, verify version is 1.12.4 or higher with 'bundle show ruby-saml'. Test SAML authentication functionality remains working.

📡 Detection & Monitoring

Log Indicators:

Unusually large SAML response processing
Memory exhaustion errors in application logs
Failed authentication attempts with compressed payloads

Network Indicators:

High volume of compressed SAML responses to authentication endpoints
Unusual traffic patterns to SAML endpoints

SIEM Query:

source="application.log" AND ("memory exhausted" OR "SAML response too large" OR "decompression error")

📊 Metadata

CVE ID: CVE-2025-25293

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 2.7% exploit probability (85.6th percentile)

Published: March 12, 2025

Last Updated: November 3, 2025

🔗 References

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released Patch
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials Exploit,Third Party Advisory
https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a Patch
https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1 Patch
https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4 Release Notes
https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0 Release Notes
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq Vendor Advisory
https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv Vendor Advisory
https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html
https://security.netapp.com/advisory/ntap-20250314-0008/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25293, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Omniauth Saml by Omniauth

Omniauth Saml by Omniauth

Omniauth Saml by Omniauth

Ruby Saml by Onelogin

Ruby Saml by Onelogin

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SAML response compression

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities