CVE-2025-54572 is a denial-of-service (DoS) vulnerability affecting the ruby-saml library, a widely used Ruby implementation for handling SAML (Security Assertion Markup Language) client-side authorization. The vulnerability exists in versions prior to 1.18.1. The root cause is an uncontrolled resource consumption issue (CWE-400) combined with improper input validation (CWE-770). Specifically, the library validates the SAML response for Base64 encoding before enforcing the message_max_bytesize limit. This sequence allows an attacker to send a large, Base64-valid SAML response that exceeds the intended size limit, causing excessive resource consumption during processing. This can lead to denial of service by exhausting memory or CPU resources on the server handling authentication requests. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, lack of required privileges, and the impact limited to availability. No known exploits are currently reported in the wild. The issue was fixed in ruby-saml version 1.18.1 by correcting the validation order to check message size before Base64 validation, preventing oversized messages from consuming excessive resources.

For European organizations relying on ruby-saml for SAML-based single sign-on (SSO) or federated identity management, this vulnerability poses a risk of service disruption. An attacker could target authentication endpoints to trigger resource exhaustion, causing denial of service and preventing legitimate users from authenticating. This can impact business continuity, especially for critical services that depend on SAML for secure access. The disruption could affect internal applications, cloud services, or partner integrations using SAML. While the vulnerability does not lead to data breach or privilege escalation, the availability impact can degrade user experience and operational efficiency. Organizations in sectors with high reliance on SAML authentication, such as government, finance, healthcare, and large enterprises, may face increased risk. Additionally, the vulnerability could be leveraged as part of a broader attack chain to distract or delay incident response. Given the lack of known exploits, the immediate threat is moderate, but the ease of exploitation and potential for denial of service warrant prompt remediation.

European organizations should immediately upgrade ruby-saml to version 1.18.1 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement network-level protections such as rate limiting and input size restrictions on SAML endpoints to mitigate large or malformed requests. Monitoring authentication service logs for unusually large or frequent SAML responses can help detect exploitation attempts. Employ Web Application Firewalls (WAFs) with custom rules to block oversized Base64-encoded payloads targeting SAML endpoints. Additionally, conduct thorough testing of SAML integrations to ensure message_max_bytesize settings are correctly enforced. Organizations should also review incident response plans to include scenarios involving authentication service DoS. Coordination with identity providers and service providers to ensure they are not sending oversized SAML responses is advisable. Finally, maintain up-to-date vulnerability management processes to promptly apply patches for dependencies like ruby-saml.