CVE 9.3 CRITICAL

ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation_CVE-2025-66568

December 8, 2025 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.

AI Analysis

Authentication bypass via libxml2 canonicalization in ruby-saml library

Basic Information

ID CVE-2025-66568

Source GitHub_M

Published Dec 9, 2025 at 02:03

Affected Product

Vendor SAML-Toolkits

Product ruby-saml

Version < 1.18.0

Affected Versions SAML-Toolkits ruby-saml < 1.18.0

CWE Classification

CWE-347

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor SAML-Toolkits

Product ruby-saml

Version < 1.18.0

References

{
    "lastseen": "",
    "description": "The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2\u2019s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.",
    "published": "2025-12-09T02:03:20.397Z",
    "modified": "2025-12-09T02:03:20.397Z",
    "type": "cve",
    "title": "ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation",
    "source": "GitHub_M",
    "references": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4\nhttps://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a",
    "id": "CVE-2025-66568",
    "bulletinFamily": "",
    "cwe": [
        "CWE-347"
    ],
    "cvelist": null,
    "sourceData": "SAML-Toolkits ruby-saml < 1.18.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ruby-saml",
    "version": "< 1.18.0",
    "vendor": "SAML-Toolkits",
    "ai_description": "Authentication bypass via libxml2 canonicalization in ruby-saml library",
    "ai_severity": "Critical",
    "ai_vendor": "SAML-Toolkits",
    "ai_product": "ruby-saml",
    "ai_version": "< 1.18.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply