DEBIAN-CVE-2025-25293

DEBIAN-CVE-2025-25293 PUBLISHED CVSS 7.5 HIGH

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:11	ruby-saml	1.11.0-1, 1.11.0-1+deb11u1, 0
Debian:12	ruby-saml	1.13.0-1, 1.15.0-1, 0

Exploit Intelligence

CVE-2025-25293.yml (github-poc)

Timeline

Mar 12, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-25293 advisory

Open in Interactive Console →