Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN490
_____________________________________________________________________

DATE                : 01/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ruby-saml (RubyGems) versions
                                 prior to 1.18.1.

=====================================================================
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
_____________________________________________________________________


DOS with large SAML response
Moderate
pitbulk published GHSA-rrqh-93c8-j966 Jul 29, 2025

Package
ruby-saml (RubyGems)

Affected versions
< 1.18.1

Patched versions
1.18.1


Description

Summary

A denial-of-service vulnerability exists in ruby-saml even with the
message_max_bytesize setting configured. The vulnerability occurs
because the SAML response is validated for Base64 format prior to
checking the message size, leading to potential resource exhaustion.


Details

ruby-saml includes a message_max_bytesize setting intended to prevent
DOS attacks and decompression bombs. However, this protection is
ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

      def decode_raw_saml(saml, settings = nil)
        return saml unless base64_encoded?(saml) # <--- Issue here.
Should be moved after next code block.

        settings = OneLogin::RubySaml::Settings.new if settings.nil?
        if saml.bytesize > settings.message_max_bytesize
          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
        end

        decoded = decode(saml)
        ...
      end

The vulnerability is in the execution order. Prior to checking
bytesize the base64_encoded? function performs regex matching on
the entire input string:

!!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)



Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

    Excessive memory consumption
    High CPU utilization
    Application slowdown or unresponsiveness
    Complete application crash in severe cases
    Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled
are vulnerable.


Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

def decode_raw_saml(saml, settings = nil)
  settings = OneLogin::RubySaml::Settings.new if settings.nil?

  if saml.bytesize > settings.message_max_bytesize
    raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
  end
  
  return saml unless base64_encoded?(saml)
  decoded = decode(saml)
  ...
end



Severity
Moderate

CVE ID
CVE-2025-54572

Weaknesses
Weakness CWE-400


Credits

    @dblessing dblessing Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================