CVE-2023-28119

Name of the Vulnerable Software and Affected Versions github.com/crewjam/saml versions prior to 0.4.13

Description The issue arises from the package's use of flate.NewReader without limiting the size of the input. This allows a user to pass more than 1 MB of data in an HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Repeating the same request multiple times can lead to a reliable crash, as the operating system kills the process due to excessive resource usage.

Recommendations For versions prior to 0.4.13, update to version 0.4.13 to resolve the issue. As a temporary workaround, consider limiting the size of HTTP requests to prevent excessive decompression. Restrict access to the flate.NewReader function until a patch is available. Avoid using the Deflate algorithm for decompressing large inputs in the affected API endpoints until the issue is resolved.