Primary

Context

ruby-saml Remote Denial-of-Service Vulnerability via Compressed SAML Responses

Vulnerability

Patched

A remote denial-of-service vulnerability has been identified in the ruby-saml library, which provides SAML single sign-on functionality for Ruby applications. This vulnerability affects ruby-saml versions prior to 1.12.4 and 1.13.0 prior to 1.18.0. The issue arises when SAML responses are compressed, allowing an attacker to bypass the message size check. Ruby-saml uses zlib to decompress SAML responses, and the size check is performed before decompression, creating an opportunity for denial-of-service conditions.

Impact

Exploitation of this vulnerability can lead to a remote denial-of-service condition, causing the application to become unresponsive or unavailable.

Remediation

Users are advised to update ruby-saml to version 1.18.0 or 1.12.4. If using omniauth-saml, update the ruby-saml requirement to version 1.18.0.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ruby-saml Remote Denial-of-Service Vulnerability via Compressed SAML Responses

Vulnerability

Impact

Remediation

Affected Products

ruby-saml

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating