CVE-2025-66567 Overview
CVE-2025-66567 is a critical authentication bypass vulnerability affecting the ruby-saml library, which is widely used for implementing SAML (Security Assertion Markup Language) authorization on the client side. This vulnerability exists due to an incomplete fix for CVE-2025-25292 and allows attackers to bypass authentication mechanisms through a Signature Wrapping attack.
The root cause stems from the different ways ReXML and Nokogiri parse XML documents—generating entirely different document structures from the same input. This parsing discrepancy creates an exploitable condition that enables attackers to manipulate SAML assertions and bypass signature validation.
Critical Impact
Attackers can bypass SAML authentication entirely, potentially gaining unauthorized access to protected resources and applications that rely on ruby-saml for identity verification.
Affected Products
- onelogin ruby-saml versions up to and including 1.12.4
- Applications using vulnerable ruby-saml for SAML authentication
- Identity providers and service providers implementing ruby-saml
Discovery Timeline
- 2025-12-09 - CVE-2025-66567 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-66567
Vulnerability Analysis
This vulnerability represents an authentication bypass flaw (CWE-347: Improper Verification of Cryptographic Signature) that affects SAML-based authentication systems. The issue arises from an incomplete patch for the earlier CVE-2025-25292, indicating that the original remediation did not fully address the underlying parsing inconsistency between XML processing libraries.
The attack exploits the fact that ReXML and Nokogiri—two common Ruby XML parsing libraries—interpret the same XML input differently. When processing SAML assertions, this discrepancy allows an attacker to craft malicious XML that passes signature validation in one parser while being interpreted differently by another, effectively enabling unauthorized authentication.
Root Cause
The vulnerability originates from a fundamental architectural issue in how ruby-saml handles XML document parsing and signature validation. The library uses multiple XML parsers that produce divergent document object models from identical input. This inconsistency allows attackers to inject malicious content that bypasses the signature verification process while still being processed as valid authentication data.
The incomplete fix for CVE-2025-25292 failed to account for all scenarios where this parsing discrepancy could be exploited, leaving a residual attack surface that CVE-2025-66567 addresses.
Attack Vector
The attack is network-exploitable and requires no authentication or user interaction. An attacker can craft a specially constructed SAML response that exploits the XML parsing inconsistency to wrap a legitimate signature around forged assertion content. This Signature Wrapping attack allows the attacker to:
- Intercept or obtain a valid SAML assertion
- Manipulate the XML structure to insert malicious content
- Preserve the original signature in a location that passes validation
- Present the modified assertion to gain unauthorized access
The security patch introduces proper malformed document checking to prevent this attack:
# @raise [ValidationError] if soft == false and validation fails
#
def validate_structure
- unless valid_saml?(document, soft)
+ check_malformed_doc = check_malformed_doc?(settings)
+ unless valid_saml?(document, soft, check_malformed_doc)
return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
end
Source: GitHub Commit
The core fix adds explicit malformed document checking to the validation process:
# Validates the SAML Message against the specified schema.
# @param document [REXML::Document] The message that will be validated
# @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
+ # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
# @return [Boolean] True if the XML is valid, otherwise False, if soft=True
# @raise [ValidationError] if soft == false and validation fails
#
- def valid_saml?(document, soft = true)
+ def valid_saml?(document, soft = true, check_malformed_doc = true)
begin
- xml = Nokogiri::XML(document.to_s) do |config|
- config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
- end
+ xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
rescue StandardError => error
return false if soft
raise ValidationError.new("XML load failed: #{error.message}")
Source: GitHub Commit
Detection Methods for CVE-2025-66567
Indicators of Compromise
- Unusual SAML assertions with duplicate or nested signature elements
- Authentication logs showing successful logins with malformed SAML response structures
- XML documents containing multiple Signature elements or unexpected element positioning
- Login attempts with SAML responses that differ structurally from typical identity provider responses
Detection Strategies
- Implement deep packet inspection for SAML traffic to identify Signature Wrapping patterns
- Monitor authentication logs for anomalies such as logins from unexpected identity sources or unusual user agent patterns
- Deploy application-layer firewalls configured to detect malformed XML in SAML assertions
- Audit ruby-saml library versions across all applications and flag instances running version 1.12.4 or earlier
Monitoring Recommendations
- Enable verbose logging for SAML authentication events including full assertion details
- Configure alerting for failed signature validation attempts that are followed by successful authentications
- Implement runtime application self-protection (RASP) to detect XML manipulation attempts
- Monitor for dependency updates and security advisories related to ruby-saml and its XML parsing dependencies
How to Mitigate CVE-2025-66567
Immediate Actions Required
- Upgrade ruby-saml to version 1.18.0 or later immediately
- Audit all applications using ruby-saml and prioritize those exposed to untrusted networks
- Review authentication logs for any signs of exploitation prior to patching
- Implement additional authentication factors for critical systems until patches are deployed
Patch Information
The vulnerability is fully remediated in ruby-saml version 1.18.0. The fix introduces proper malformed document checking through the safe_load_xml method, which ensures consistent XML parsing and prevents Signature Wrapping attacks.
For detailed patch information, refer to the GitHub Security Advisory and the security commit.
Workarounds
- If immediate patching is not possible, consider implementing additional signature validation at the application layer
- Restrict SAML authentication to trusted identity providers with strict network controls
- Implement web application firewall rules to reject SAML responses with suspicious XML structures
- Consider temporarily disabling SAML authentication for highly sensitive applications until patching is complete
# Update ruby-saml to the patched version
bundle update ruby-saml
# Verify the installed version
bundle show ruby-saml
# Expected output: ruby-saml (1.18.0) or higher
# For Gemfile pinning, update to:
# gem 'ruby-saml', '>= 1.18.0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
