Dblessing

**Name of the Vulnerable Software and Affected Versions** ruby-saml versions 1.18.0 and below **Description** The Ruby SAML library, used for implementing the client side of a SAML authorization, contains a denial-of-service vulnerability. The `message max bytesize` setting, intended to prevent resource exhaustion, is ineffective due to the order of operations in the code. Specifically, the SAML response is validated for Base64 format before checking the message size. This can lead to excessive memory consumption, high CPU utilization, application slowdowns, and potential application crashes, ultimately resulting in a denial of service for legitimate users. The vulnerability exists in the `decode raw saml` function where the `base64 encoded?` function performs regex matching on the entire input string before checking the message size. **Recommendations** ruby-saml versions prior to 1.18.1 are affected. Update to version 1.18.1 or later to resolve this issue.