CVE-2025-66568: Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
(updated )
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
References
- github.com/SAML-Toolkits/ruby-saml
- github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a
- github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4
- github.com/advisories/GHSA-x4h9-gwv3-r4m4
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-66568.yml
- nvd.nist.gov/vuln/detail/CVE-2025-66568
Code Behaviors & Features
Detect and mitigate CVE-2025-66568 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →