CVE-2025-66567

moderate-risk

Published 2025-12-09

The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Ruby-Saml

Affected Vendors

Onelogin

References (3)

Patch https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0c...

Vendor Advisory https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2f...

Not Applicable https://github.com/advisories/GHSA-754f-8gm6-c4r2

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal