curl: Unbounded memory consumption via compressed HTTP responses (gzip/brotli/zstd)

During a review of curl's handling of response decompression, it was noticed that no limit exists on the final uncompressed data volume from compressed HTTP replies. Instead of setting constraints, the current design allows indefinite expansion during processing. This absence of limits could lead...

Linux Distros Unpatched Vulnerability : CVE-2015-2206

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libraries/selectlang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in...

BIT-GITLAB-2025-25293 ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is...

Remote Denial Of Service (DoS)

ruby-saml is vulnerable to remote Denial of Service DoS. The vulnerability is due to the message size check being performed before decompression, allowing attackers to bypass it using compressed SAML responses...

CVE-2025-25293

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is...

CVE-2025-25293

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is...

DEBIAN-CVE-2025-25293

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is...

UBUNTU-CVE-2025-25293

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is...

GHSA-92RQ-C8CF-PRRQ Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses

Summary ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in decoderawsaml, which does not sufficiently check the size of a compressed SAML response. An attacker can cause the application to consume excessive resources by sending a large...

Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses

Summary ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before...

Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses

Summary ruby-saml is susceptible to remote Denial of Service DoS with compressed SAML responses. Ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before...

OneLogin ruby-saml 安全漏洞

Onelogin OneLogin ruby-saml is a Ruby-based SAML Security Assertion Markup Language library for Single Sign-On SSO services from Onelogin, USA. A security vulnerability exists in ruby-saml versions prior to 1.12.4 and 1.18.0, which stems from an improper handling of compressed SAML responses and...

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a...

GHSA-8HXH-R6F7-JF45 Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a...

BREACH vulnerability in compressed HTTPS

Overview By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream. Description Angelo Prado of Salesforce.com reports:Extending the CRIME vulnerability presented at Ekoparty 2012, an attacker can target HTTPS...

Ubuntu 6.06 LTS / 6.10 : libnet-dns-perl vulnerabilities (USN-483-1)

Peter Johannes Holzer discovered that the Net::DNS Perl module had predictable sequence numbers. This could allow remote attackers to carry out DNS spoofing, leading to possible man-in-the-middle attacks. CVE-2007-3377 Steffen Ullrich discovered that the Net::DNS Perl module did not correctly...

USN-483-1: libnet-dns-perl vulnerabilities

Peter Johannes Holzer discovered that the Net::DNS Perl module had predictable sequence numbers. This could allow remote attackers to carry out DNS spoofing, leading to possible machine-in-the-middle attacks. CVE-2007-3377 Steffen Ullrich discovered that the Net::DNS Perl module did not correctly...