CVE-2025-54572 is a denial-of-service vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the ruby-saml library, a widely used Ruby toolkit for implementing SAML client-side authorization. In versions 1.18.0 and below, the library attempts to validate the Base64 encoding of incoming SAML responses before checking the size of the message against the configured message_max_bytesize limit. This sequence allows an attacker to submit a maliciously crafted SAML response with an excessively large payload that passes the Base64 validation but exceeds the intended size limit. As a result, the server processes the oversized message, leading to resource exhaustion such as CPU and memory consumption, ultimately causing denial-of-service conditions. The vulnerability can be triggered remotely without requiring any authentication or user interaction, increasing its risk profile. The issue was addressed in ruby-saml version 1.18.1 by correcting the validation order to enforce size limits prior to Base64 checks, effectively mitigating the risk of resource exhaustion. Although no active exploits have been reported, the medium CVSS 4.0 score of 6.9 reflects the potential impact on availability and ease of exploitation. Organizations using ruby-saml in their SAML authentication flows should upgrade promptly to the fixed version to prevent service disruptions.

For European organizations, this vulnerability poses a risk primarily to the availability of identity and access management services that utilize the ruby-saml library for SAML authentication. Denial-of-service attacks exploiting this flaw could disrupt user authentication processes, leading to service outages or degraded performance in critical applications relying on SAML-based single sign-on (SSO). This can affect sectors such as finance, healthcare, government, and enterprises with complex IT infrastructures where SAML is commonly deployed. The disruption may result in operational downtime, loss of productivity, and potential compliance issues under regulations like GDPR if service availability impacts data access controls. Since exploitation requires no authentication and can be performed remotely, attackers could target exposed endpoints to cause widespread service interruptions. However, the vulnerability does not directly compromise confidentiality or integrity, limiting the impact to availability concerns. Prompt patching is essential to maintain uninterrupted access to services and prevent potential cascading effects in federated authentication environments.

The primary mitigation is to upgrade the ruby-saml library to version 1.18.1 or later, where the vulnerability has been fixed by enforcing message size checks before Base64 validation. Organizations should audit their codebases and dependencies to identify any usage of ruby-saml versions below 1.18.1 and apply the update as a priority. Additionally, implement network-level protections such as rate limiting and web application firewalls (WAFs) to detect and block abnormal SAML response sizes or malformed requests that could indicate exploitation attempts. Monitoring authentication service logs for unusual spikes in SAML response processing times or resource usage can help detect attempted or successful attacks early. Where possible, isolate SAML processing components to limit the impact of resource exhaustion on other services. Finally, incorporate this vulnerability into incident response plans and ensure that security teams are aware of the risk and remediation status.