CVE-2025-66578: robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation
(updated )
An authentication bypass vulnerability exists due to a flaw in the libxml2 canonicalization process, which is used by xmlseclibs during document transformation. This weakness allows an attacker to generate a valid signature once and reuse it indefinitely. In practice, a signature created during a previous interaction - or through a misconfigured authentication flow - can be replayed to bypass authentication checks.
References
- github.com/advisories/GHSA-c4cc-x928-vjw9
- github.com/robrichards/xmlseclibs
- github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php
- github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6
- github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9
- nvd.nist.gov/vuln/detail/CVE-2025-66578
Code Behaviors & Features
Detect and mitigate CVE-2025-66578 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →