cbcvebase.
CVE-2025-66568
published 2025-12-09

CVE-2025-66568: The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through…

PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.21%
10.9th percentile
The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianruby-saml
oneloginruby-saml< 1.18.01.18.0
oneloginruby-saml>= 0 < 1.18.01.18.0
saml-toolkitsruby-saml< 1.18.01.18.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable versions of ruby-saml are 1.12.4 and below; monitor SAML authentication flows using these versions for authentication bypass attempts (Signature Wrapping)
  • ·Exploitation requires the attacker to craft a malformed SAML XML document; the attack is only possible against deployments using ruby-saml with Nokogiri (libxml2 backend) for XML canonicalization.
  • ·Debian bookworm and bullseye have resolved this CVE; patching status for other distributions must be verified independently.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.