Critical Authentication Bypass Flaws Discovered in Ruby SAML Library (CVE-2025-66567 & CVE-2025-66568)
Ddos 
A pair of critical security vulnerabilities has been disclosed in the Ruby SAML library, a foundational tool used by developers to implement client-side SAML authorization. Both flaws carry a critical CVSS score of 9.3, exposing applications to authentication bypass attacks that could allow malicious actors to impersonate users without valid credentials.
The vulnerabilities affect versions of ruby-saml up to and including 1.12.4. The maintainers have addressed these issues in version 1.18.0, and immediate patching is strongly recommended.
The first vulnerability, CVE-2025-66567, highlights a dangerous discrepancy in how different XML parsers interpret data—a class of bug known as “parser differential.”
The issue stems from an incomplete fix for a previous vulnerability (CVE-2025-25292). According to the advisory, the library relies on two different parsers, ReXML and Nokogiri, which “parse XML differently”. This disagreement allows an attacker to craft a malicious XML payload that looks one way to the security check but is interpreted differently by the application logic.
This creates a loophole for a Signature Wrapping attack, where an attacker can manipulate the digital signature to verify a fraudulent message, effectively allowing them to “bypass the authentication”.
The second flaw, CVE-2025-66568, exploits a failure in the underlying Libxml2 library used by Nokogiri for document transformation.
The vulnerability occurs during the canonicalization process—a method used to standardize XML data before signing. “When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node”.
Critically, ruby-saml fails to handle this error state correctly. Instead of rejecting the failure, the library “proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded”.
This error opens two distinct attack vectors:
- Digest Bypass: An attacker can craft malicious input that forces the system to validate an empty string, tricking the validation logic into passing.
- Signature Replay: Once an empty string has been successfully signed, that signature can be reused. An attacker can replay this “empty canonical form” to “bypass authentication” in future interactions or misconfigured flows.
Both vulnerabilities effectively neutralize the security guarantees of SAML assertions. To mitigate these risks, organizations using ruby-saml must upgrade to version 1.18.0 or later, which is not affected by these flaws.
Donate