CVE-2025-25293: 
Ruby vulnerability analysis and mitigation

Ruby-saml, a library providing SAML single sign-on (SSO) for Ruby, was found to be vulnerable to remote Denial of Service (DoS) with compressed SAML responses (CVE-2025-25293). Prior to versions 1.12.4 and 1.18.0, the library was susceptible to a vulnerability where an attacker could bypass message size checks with compressed SAML responses. The vulnerability was discovered in March 2025 and affects all versions prior to 1.12.4 and versions from 1.13.0 to before 1.18.0 (GitHub Advisory, NVD).

The vulnerability stems from how ruby-saml uses zlib to decompress SAML responses. The issue arises because the message size check is performed before inflation and not after, allowing attackers to bypass size restrictions. The vulnerability has been assigned a CVSS v4.0 score of 7.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD).

Successful exploitation of this vulnerability could lead to remote Denial of Service (DoS) conditions. The vulnerability allows attackers to bypass message size checks, potentially causing resource exhaustion through the processing of maliciously crafted compressed SAML responses (GitHub Advisory).

The vulnerability has been fixed in ruby-saml versions 1.12.4 and 1.18.0. Users are strongly recommended to upgrade to these patched versions. The fix involves implementing proper message size validation after decompression. Projects using dependencies that rely on ruby-saml (such as omniauth-saml) should also ensure they update to versions that reference the fixed ruby-saml versions (GitHub Release, GitHub Release).

GitLab has acknowledged and addressed this vulnerability in their products, releasing patches in versions 17.9.2, 17.8.5, and 17.7.7. They have noted that the vulnerability requires an attacker to have compromised a valid user account to perform the authentication bypass (GitLab Release).