CVE-2025-66568: ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation

Published Dec 8, 2025
·
Updated

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.

Details When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.

Impact 1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.

2. Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.

Other sources

The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.

MITRE

Affected Software

2 affected componentsFixes available
rubygems/ruby-saml<1.18.0
1.18.0
onelogin Ruby-SAML<1.18.0

Event History

Dec 8, 2025
Advisory Published
via GitHub·10:03 PM
Data Sourced
via GitHub·10:03 PM
DescriptionWeaknessAffected Software
Dec 9, 2025
CVE Published
via MITRE·02:03 AM
Data Sourced
via MITRE·02:03 AM
DescriptionWeakness
Data Sourced
via NVD·04:18 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-66568?

CVE-2025-66568 is classified as a critical authentication bypass vulnerability.

2

How do I fix CVE-2025-66568?

To resolve CVE-2025-66568, upgrade ruby-saml to version 1.18.0 or later.

3

Which versions of ruby-saml are affected by CVE-2025-66568?

ruby-saml versions up to and including 1.12.4 are affected by CVE-2025-66568.

4

What type of attack can be executed due to CVE-2025-66568?

CVE-2025-66568 allows attackers to perform Signature Wrapping attacks.

5

What library is involved in the CVE-2025-66568 vulnerability?

The vulnerability involves issues with the libxml2 canonicalization process used by Nokogiri.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203