CVE-2025-66567 affects the ruby-saml library, a widely used tool for implementing SAML client-side authentication in Ruby applications. The vulnerability arises from an improper verification of cryptographic signatures (CWE-347) due to inconsistent XML parsing between two XML parsers: ReXML and Nokogiri. These parsers generate different document object models from the same XML input, which attackers can exploit to perform a Signature Wrapping attack. This attack involves manipulating the XML structure to insert malicious assertions that bypass signature validation, effectively allowing an attacker to impersonate a legitimate user or service without possessing valid credentials. The issue stems from an incomplete fix for a previous vulnerability (CVE-2025-25292), meaning the underlying problem was not fully resolved in versions up to 1.12.4. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, no privileges or interaction required, and high impact on confidentiality and integrity. The vulnerability was published on December 9, 2025, and fixed in ruby-saml version 1.18.0. No public exploits have been reported yet, but the risk remains significant given the critical nature of SAML authentication in federated identity systems.

For European organizations, the impact of this vulnerability is substantial. SAML is widely used for single sign-on (SSO) and federated identity management across many sectors including government, finance, healthcare, and critical infrastructure. Exploitation could allow attackers to bypass authentication controls, gain unauthorized access to sensitive systems and data, and potentially move laterally within networks. This compromises confidentiality and integrity of user identities and access controls, potentially leading to data breaches, fraud, and disruption of services. Given the critical role of SAML in secure authentication, exploitation could undermine trust in identity providers and service providers. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if unpatched. European organizations with legacy ruby-saml versions are particularly vulnerable, especially those using Ruby-based web applications or services that rely on this library for SAML authentication.

1. Immediately upgrade all ruby-saml dependencies to version 1.18.0 or later, which contains the fix for this vulnerability. 2. Conduct an inventory of all applications and services using ruby-saml to ensure no outdated versions remain in production or development environments. 3. Review and harden XML parsing configurations to enforce consistent and secure parsing behavior, potentially restricting or validating XML inputs more strictly. 4. Implement additional monitoring and anomaly detection for SAML authentication flows to detect unusual or unauthorized access attempts. 5. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XML Signature Wrapping attack patterns. 6. Educate development teams about secure XML handling and the risks of signature wrapping attacks to prevent similar issues in future code. 7. Perform penetration testing and code audits focusing on SAML authentication components to identify residual weaknesses. 8. Coordinate with identity providers and service providers to ensure end-to-end security of SAML assertions and tokens.