What is the severity of CVE-2025-54572?

CVE-2025-54572 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-54572?

No known public exploits are currently available for CVE-2025-54572.

Is there a patch available for CVE-2025-54572?

Yes, patches are available for CVE-2025-54572. Check the vendor advisories for update instructions.

CVE-2025-54572 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.

Details

ruby-saml includes a message_max_bytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

      def decode_raw_saml(saml, settings = nil)
        return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block.

        settings = OneLogin::RubySaml::Settings.new if settings.nil?
        if saml.bytesize > settings.message_max_bytesize
          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
        end

        decoded = decode(saml)
        ...
      end

The vulnerability is in the execution order. Prior to checking bytesize the base64_encoded? function performs regex matching on the entire input string:

!!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)

Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

Excessive memory consumption
High CPU utilization
Application slowdown or unresponsiveness
Complete application crash in severe cases
Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled are vulnerable.

Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

def decode_raw_saml(saml, settings = nil)
  settings = OneLogin::RubySaml::Settings.new if settings.nil?

  if saml.bytesize > settings.message_max_bytesize
    raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
  end
  
  return saml unless base64_encoded?(saml)
  decoded = decode(saml)
  ...
end

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com