CVE-2025-66568
published 2025-12-09CVE-2025-66568: The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through…
PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.21%
10.9th percentile
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | — | — |
| onelogin | ruby-saml | < 1.18.0 | 1.18.0 |
| onelogin | ruby-saml | >= 0 < 1.18.0 | 1.18.0 |
| saml-toolkits | ruby-saml | < 1.18.0 | 1.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions of ruby-saml are 1.12.4 and below; monitor SAML authentication flows using these versions for authentication bypass attempts (Signature Wrapping) ↗
- ·Exploitation requires the attacker to craft a malformed SAML XML document; the attack is only possible against deployments using ruby-saml with Nokogiri (libxml2 backend) for XML canonicalization. ↗
- ·Debian bookworm and bullseye have resolved this CVE; patching status for other distributions must be verified independently. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-66568: The ruby-saml library implements the client side of an SAML authorization
osv·2025-12-09·CVSS 9.3
CVE-2025-66568 [CRITICAL] CVE-2025-66568: The ruby-saml library implements the client side of an SAML authorization
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.
GHSA
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
ghsa·2025-12-08
CVE-2025-66568 [CRITICAL] CWE-347 Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
### Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
### Details
When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
### Impact
1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker
OSV
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
osv·2025-12-08
CVE-2025-66568 [CRITICAL] Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
### Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
### Details
When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
### Impact
1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker
Debian
CVE-2025-66568: ruby-saml - The ruby-saml library implements the client side of an SAML authorization. Versi...
vendor_debian·2025·CVSS 9.3
CVE-2025-66568 [CRITICAL] CVE-2025-66568: ruby-saml - The ruby-saml library implements the client side of an SAML authorization. Versi...
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.
Scope: local
bookworm: resolved
bullseye: resolved
No detection rules found.
No public exploits indexed.
2025-12-09
Published