CVE-2025-66567 is a critical vulnerability in the ruby-saml library, which is widely used to implement client-side SAML authorization in Ruby applications. The vulnerability stems from an incomplete fix for a previous CVE (2025-25292) and involves improper verification of cryptographic signatures (CWE-347). The root cause is the differing XML parsing behaviors of ReXML and Nokogiri libraries, which parse the same XML input into different document structures. This discrepancy enables attackers to craft malicious SAML responses that exploit Signature Wrapping attacks, allowing them to bypass authentication controls without needing any privileges or user interaction. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with network attack vector, low attack complexity, and no required authentication. The impact includes unauthorized access to protected resources, compromising confidentiality and integrity of authentication tokens. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to any system using vulnerable ruby-saml versions (prior to 1.18.0). The issue is resolved in ruby-saml 1.18.0 by correcting the signature verification logic and ensuring consistent XML parsing. Organizations using ruby-saml for SAML-based single sign-on should prioritize upgrading to the fixed version and auditing their SAML implementations for similar weaknesses.

For European organizations, this vulnerability can lead to unauthorized access to critical systems and sensitive data by bypassing authentication mechanisms in SAML-based single sign-on solutions. SAML is widely used across European enterprises, government agencies, and financial institutions to enable federated identity management. Exploitation could result in data breaches, identity theft, and disruption of services, undermining trust and compliance with regulations such as GDPR. The criticality is heightened in sectors with stringent security requirements, including banking, healthcare, and public administration. Attackers exploiting this flaw could impersonate legitimate users, escalate privileges, and move laterally within networks. The lack of required authentication or user interaction makes this vulnerability particularly dangerous, as it can be exploited remotely over the network. Although no active exploits are reported, the high CVSS score and the nature of the vulnerability demand immediate attention to prevent potential attacks.

1. Upgrade ruby-saml to version 1.18.0 or later immediately to apply the official fix addressing the signature verification flaw. 2. Conduct a thorough audit of all SAML implementations to ensure consistent XML parsing libraries are used and that signature verification logic is robust against Signature Wrapping attacks. 3. Implement additional XML signature validation controls, such as strict schema validation and namespace enforcement, to prevent manipulation of XML structures. 4. Monitor authentication logs for unusual SAML assertion patterns or unexpected authentication successes. 5. Employ network-level protections like Web Application Firewalls (WAFs) configured to detect and block malformed SAML responses. 6. Educate development and security teams about the risks of XML parsing inconsistencies and the importance of using secure libraries. 7. Consider deploying runtime application self-protection (RASP) tools to detect anomalous authentication flows. 8. Review and update incident response plans to include scenarios involving SAML authentication bypasses.