CVE-2025-25293

NameCVE-2025-25293
Descriptionruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4115-1
Debian Bugs1100441

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-saml (PTS)bullseye1.11.0-1vulnerable
bullseye (security)1.11.0-1+deb11u2fixed
bookworm, bookworm (security)1.13.0-1+deb12u1vulnerable
sid, trixie1.17.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-samlsourcebullseye1.11.0-1+deb11u2DLA-4115-1
ruby-samlsource(unstable)(unfixed)1100441

Notes

https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
Vulnerability might be the result of an incomplete fix for a zipbomb attack.
https://github.com/SAML-Toolkits/ruby-saml/pull/383 (v1.12.0)
https://github.com/SAML-Toolkits/ruby-saml/commit/533c84ebfc40f8cbac645b6c76ce4949f95d27d6 (v1.12.0)
https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1 (v1.12.4)
https://github.com/SAML-Toolkits/ruby-saml/pull/601 (v1.13.0..v1.18.0)
https://github.com/SAML-Toolkits/ruby-saml/commit/c21d6935b43a032701d99e398cbfc551e80bfb72 (v1.13.0)
https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a (v1.18.0)
Search for package or bug name: Reporting problems