CVE-2025-66568 Overview
CVE-2025-66568 is a critical authentication bypass vulnerability in the ruby-saml library, which implements the client side of SAML authorization. The vulnerability exists in versions up to and including 1.12.4, where attackers can exploit the libxml2 canonicalization process used by Nokogiri for document transformation to execute a Signature Wrapping attack.
When libxml2's canonicalization is invoked on invalid XML input, it may return an empty string rather than a canonicalized node. The ruby-saml library then incorrectly proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This allows attackers to bypass SAML authentication mechanisms entirely.
Critical Impact
This authentication bypass vulnerability allows attackers to forge SAML assertions and gain unauthorized access to applications protected by SAML-based single sign-on (SSO), potentially compromising entire enterprise identity systems.
Affected Products
- onelogin ruby-saml versions up to and including 1.12.4
- Applications using vulnerable ruby-saml versions for SAML authentication
- Enterprise SSO systems relying on the affected library
Discovery Timeline
- 2025-12-09 - CVE-2025-66568 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-66568
Vulnerability Analysis
This vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature), representing a fundamental flaw in how the ruby-saml library processes SAML assertions. The issue stems from the library's trust in the canonicalization output from libxml2 without proper validation.
SAML authentication relies on XML digital signatures to verify the authenticity and integrity of assertions. The canonicalization process ensures that XML documents are transformed into a standard form before signature computation or verification. When this process fails silently by returning an empty string, the library proceeds with signature verification against incorrect data, creating an exploitable condition.
The attack surface is network-accessible, requires no authentication, and can be executed without user interaction. Successful exploitation results in complete bypass of authentication controls, allowing attackers to impersonate any user within the SAML federation.
Root Cause
The root cause lies in insufficient error handling during the XML canonicalization process. When libxml2 encounters invalid XML input during canonicalization, it returns an empty string instead of raising an error or returning the expected canonicalized node. The ruby-saml library fails to detect this condition and proceeds to compute the DigestValue over the empty string.
This design flaw allows attackers to craft malicious SAML responses that pass signature verification despite containing manipulated assertions, as the signature is validated against empty or incorrect data rather than the actual assertion content.
Attack Vector
The Signature Wrapping attack exploits the discrepancy between what the signature validates and what the application processes. An attacker intercepts or crafts a SAML response and manipulates the XML structure to include malicious assertions while ensuring the signature verification passes by exploiting the empty canonicalization output.
The attack flow typically involves:
- Obtaining a valid SAML response or crafting a malicious one
- Manipulating the XML structure to include attacker-controlled assertions
- Exploiting the canonicalization flaw to bypass signature verification
- Submitting the manipulated response to gain unauthorized access
The security patch addresses this vulnerability by adding message size validation and improving error handling:
decoded = decode(saml)
begin
- inflate(decoded)
+ message = inflate(decoded)
rescue
- decoded
+ message = decoded
end
+
+ if message.bytesize > settings.message_max_bytesize
+ raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
+ end
+
+ message
end
# Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
Source: GitHub Commit
Detection Methods for CVE-2025-66568
Indicators of Compromise
- Unusual SAML assertion patterns with malformed or unusually structured XML content
- Authentication events where user identity claims don't match expected patterns
- Multiple successful authentications from disparate geographic locations for the same user
- SAML responses with abnormal XML structures or duplicate elements
Detection Strategies
- Monitor SAML authentication logs for assertions with unexpected or empty DigestValue computations
- Implement anomaly detection for authentication patterns that deviate from established user baselines
- Deploy application-layer monitoring to detect malformed SAML responses before processing
- Audit authentication events for signs of identity spoofing or privilege escalation
Monitoring Recommendations
- Enable verbose logging for SAML authentication processing to capture canonicalization errors
- Implement real-time alerting for failed SAML signature verifications followed by successful authentications
- Monitor for unusual patterns in SSO token issuance and session creation
- Track ruby-saml library version across all deployments to identify vulnerable instances
How to Mitigate CVE-2025-66568
Immediate Actions Required
- Upgrade ruby-saml to version 1.18.0 or later immediately
- Audit all applications using ruby-saml for SAML authentication functionality
- Review authentication logs for signs of prior exploitation
- Implement additional authentication controls while patching is in progress
Patch Information
The vulnerability is fixed in ruby-saml version 1.18.0. Organizations should update their Gemfile to specify the patched version and run bundle update to apply the fix. The patch introduces proper validation of canonicalization output and message size limits to prevent exploitation.
For detailed information about the fix, refer to the GitHub Security Advisory and the commit changes.
Workarounds
- Implement additional identity verification at the application layer beyond SAML assertions
- Deploy web application firewalls (WAF) with rules to detect malformed SAML responses
- Enable strict XML validation before processing SAML responses
- Consider implementing IP-based access restrictions for SAML endpoints as a temporary measure
# Configuration example
# Update Gemfile to use patched version
gem 'ruby-saml', '>= 1.18.0'
# Run bundle update to apply the fix
bundle update ruby-saml
# Verify the installed version
bundle show ruby-saml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
