CVE-2025-66568 – The ruby-saml library versions up to 1.12.4 are... (How to Fix)

Q: What is the severity of CVE-2025-66568?

CVE-2025-66568 has a CVSS score of 9.1 (CRITICAL). The ruby-saml library versions up to 1.12.4 are vulnerable to authentication bypass via Signature Wrapping attacks. Attackers can exploit libxml2's canonicalization behavior on invalid XML to bypass SAML authentication. This affects any application using vulnerable ruby-saml versions for SAML authentication.

📋 TL;DR

The ruby-saml library versions up to 1.12.4 are vulnerable to authentication bypass via Signature Wrapping attacks. Attackers can exploit libxml2's canonicalization behavior on invalid XML to bypass SAML authentication. This affects any application using vulnerable ruby-saml versions for SAML authentication.

💻 Affected Systems

Products:

ruby-saml library

Versions: Versions up to and including 1.12.4

Operating Systems: All operating systems running Ruby applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Ruby application using ruby-saml for SAML authentication is vulnerable regardless of configuration.

📦 What is this software?

Ruby Saml by Onelogin

View all CVEs affecting Ruby Saml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected systems and data as any user.

🟠

Likely Case

Attackers gain unauthorized access to applications using SAML authentication, potentially compromising user accounts and sensitive data.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to specific applications with detection of anomalous authentication attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious SAML responses but does not require authentication to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.0

Vendor Advisory: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "ruby-saml", ">= 1.18.0"' 2. Run 'bundle update ruby-saml' 3. Restart your Ruby application 4. Test SAML authentication functionality

🔧 Temporary Workarounds

Input validation workaround

all

Add XML validation before canonicalization to reject invalid XML inputs

# Add custom validation in SAML response processing
# Reject XML that fails basic structure validation before canonicalization

🧯 If You Can't Patch

Implement additional authentication factors (MFA) for all users
Deploy WAF rules to detect and block suspicious SAML responses

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show ruby-saml' to see installed version

Check Version:

bundle show ruby-saml | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+"

Verify Fix Applied:

Confirm version 1.18.0 or higher is installed and test SAML authentication with valid and invalid XML inputs

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful logins from same IP
SAML responses with malformed XML structure
Unusual user agent strings in authentication requests

Network Indicators:

SAML responses containing XML parsing errors
Multiple authentication attempts from single source with varying XML structures

SIEM Query:

source="application.log" AND ("SAML" AND ("invalid" OR "malformed" OR "canonicalization"))

📊 Metadata

CVE ID: CVE-2025-66568

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-347

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: December 9, 2025

Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66568, you might also want to check these: