|
| 1 | +--- |
| 2 | +gem: ruby-saml |
| 3 | +cve: 2025-54572 |
| 4 | +ghsa: rrqh-93c8-j966 |
| 5 | +url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966 |
| 6 | +title: Ruby SAML DOS vulnerability with large SAML response |
| 7 | +date: 2025-07-30 |
| 8 | +description: | |
| 9 | + ### Summary |
| 10 | +
|
| 11 | + A denial-of-service vulnerability exists in ruby-saml even with the |
| 12 | + message_max_bytesize setting configured. The vulnerability occurs |
| 13 | + because the SAML response is validated for Base64 format prior to |
| 14 | + checking the message size, leading to potential resource exhaustion. |
| 15 | +
|
| 16 | + ### Details |
| 17 | +
|
| 18 | + `ruby-saml` includes a `message_max_bytesize` setting intended to |
| 19 | + prevent DOS attacks and decompression bombs. However, this protection |
| 20 | + is ineffective in some cases due to the order of operations in the code: |
| 21 | +
|
| 22 | + https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb |
| 23 | +
|
| 24 | + ```ruby |
| 25 | + def decode_raw_saml(saml, settings = nil) |
| 26 | + return saml unless base64_encoded?(saml) |
| 27 | + # <--- Issue here. Should be moved after next code block. |
| 28 | +
|
| 29 | + settings = OneLogin::RubySaml::Settings.new if settings.nil? |
| 30 | + if saml.bytesize > settings.message_max_bytesize |
| 31 | + raise ValidationError.new(\"Encoded SAML Message exceeds \" + |
| 32 | + settings.message_max_bytesize.to_s + |
| 33 | + \" bytes, so was rejected\") |
| 34 | + end |
| 35 | + decoded = decode(saml) |
| 36 | + ... |
| 37 | + end |
| 38 | + ``` |
| 39 | +
|
| 40 | + The vulnerability is in the execution order. Prior to checking |
| 41 | + bytesize the `base64_encoded?` function performs regex matching |
| 42 | + on the entire input string: |
| 43 | +
|
| 44 | + ```ruby |
| 45 | + !!string.gsub(/[\\r\]|\\\\r|\\\|\\s/, \"\").match(BASE64_FORMAT) |
| 46 | + ``` |
| 47 | +
|
| 48 | + ### Impact |
| 49 | +
|
| 50 | + _What kind of vulnerability is it? Who is impacted?_ |
| 51 | +
|
| 52 | + When successfully exploited, this vulnerability can lead to: |
| 53 | + - Excessive memory consumption |
| 54 | + - High CPU utilization |
| 55 | + - Application slowdown or unresponsiveness |
| 56 | + - Complete application crash in severe cases |
| 57 | + - Potential denial of service for legitimate users |
| 58 | +
|
| 59 | + All applications using `ruby-saml` with SAML configured and |
| 60 | + enabled are vulnerable. |
| 61 | +
|
| 62 | + ### Potential Solution |
| 63 | +
|
| 64 | + Reorder the validation steps to ensure max bytesize is checked first |
| 65 | +
|
| 66 | + ```ruby |
| 67 | + def decode_raw_saml(saml, settings = nil) |
| 68 | + settings = OneLogin::RubySaml::Settings.new |
| 69 | + if settings.nil? |
| 70 | + if saml.bytesize > settings.message_max_bytesize |
| 71 | + raise ValidationError.new(\"Encoded SAML Message exceeds \" + |
| 72 | + settings.message_max_bytesize.to_s + \" bytes, so was rejected\") |
| 73 | + end |
| 74 | + return saml unless base64_encoded?(saml) |
| 75 | + decoded = decode(saml) |
| 76 | + ... |
| 77 | + end |
| 78 | + ``` |
| 79 | +cvss_v4: 6.9 |
| 80 | +patched_versions: |
| 81 | + - ">= 1.18.1" |
| 82 | +related: |
| 83 | + url: |
| 84 | + - https://nvd.nist.gov/vuln/detail/CVE-2025-54572 |
| 85 | + - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966 |
| 86 | + - https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.1 |
| 87 | + - https://github.com/SAML-Toolkits/ruby-saml/pull/770 |
| 88 | + - https://github.com/SAML-Toolkits/ruby-saml/commit/38ef5dd1ce17514e202431f569c4f5633e6c2709 |
| 89 | + - https://github.com/advisories/GHSA-rrqh-93c8-j966 |
0 commit comments