CVE-2025-54572

Name of the Vulnerable Software and Affected Versions ruby-saml versions 1.18.0 and below

Description The Ruby SAML library, used for implementing the client side of a SAML authorization, contains a denial-of-service vulnerability. The message max bytesize setting, intended to prevent resource exhaustion, is ineffective due to the order of operations in the code. Specifically, the SAML response is validated for Base64 format before checking the message size. This can lead to excessive memory consumption, high CPU utilization, application slowdowns, and potential application crashes, ultimately resulting in a denial of service for legitimate users. The vulnerability exists in the decode raw saml function where the base64 encoded? function performs regex matching on the entire input string before checking the message size.

Recommendations ruby-saml versions prior to 1.18.1 are affected. Update to version 1.18.1 or later to resolve this issue.