CVE-2025-66567

Published Dec 9, 2025

Last updated 3 months ago

CVSS critical 9.3

Overview

Description
The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.
Source
security-advisories@github.com
NVD status
Analyzed
Products
ruby-saml

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-347

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #AuthenticationBypass Critical Authentication Bypass Flaws Discovered in Ruby SAML Library (CVE-2025-66567 & CVE-2025-66568) https://t.co/K9r7F9lQs6

    @Komodosec

    15 Jan 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Ruby Samlに深刻な認証バイパス 脆弱性(CVE-2025-66567/66568) https://t.co/hs6iyZ2mZ1 #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    11 Dec 2025

    115 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Upozorňujeme na zranitelnosti v Ruby-SAML, CVE-2025-66567 a CVE-2025-66568. Tyto zranitelnosti umožňují obejít validaci SAML assertion a tím pádem útočníkům umožňují vydávat se za legitimní uživatele bez platných přihlašovacích údajů. Problém vycház

    @GOVCERT_CZ

    10 Dec 2025

    286 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 SAML SIGN-IN HIJACK — CVE-2025-66567 (ruby-saml)! Authentication can be bypassed via namespace/parser differences. Upgrade to 1.18.0+ NOW. If you can’t patch: disable public SSO, rotate keys/sessions & audit logins. 🔍 https://t.co/8yW5uv6ZDQ #SAML #AppSec #Vulert

    @vulert_official

    9 Dec 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0.CVE-2025-66568
  2. ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.CVE-2025-25293
  3. ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.CVE-2025-25292
  4. ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.CVE-2025-25291
  5. The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.CVE-2024-45409

References

Sources include official advisories and independent security research.