CVE-2025-66568 is a critical vulnerability identified in the ruby-saml library, a widely used client-side implementation for SAML authorization in Ruby applications. The vulnerability stems from improper verification of cryptographic signatures (CWE-347) caused by the interaction between ruby-saml and the libxml2 canonicalization process used by Nokogiri for XML document transformation. Specifically, when libxml2's canonicalization function is invoked on malformed or invalid XML input, it may return an empty string instead of a properly canonicalized node. Ruby-saml then computes the DigestValue over this empty string, mistakenly treating the signature as valid. This flaw enables a Signature Wrapping attack, where an attacker can craft malicious SAML assertions that bypass authentication checks without needing any privileges or user interaction. The vulnerability affects all ruby-saml versions up to and including 1.12.4 and is resolved in version 1.18.0. The CVSS 4.0 score of 9.3 reflects its critical severity, with network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk to any system relying on vulnerable ruby-saml versions for SAML authentication, potentially allowing unauthorized access to protected resources.

For European organizations, this vulnerability poses a severe risk to the confidentiality and integrity of authentication processes relying on SAML via ruby-saml. Exploitation can lead to unauthorized access to sensitive systems and data, bypassing authentication controls without detection. This can result in data breaches, unauthorized transactions, and compromise of user identities. Organizations in sectors such as finance, healthcare, government, and cloud service providers are particularly vulnerable due to their reliance on SAML for federated identity management. The ease of exploitation over the network without requiring user interaction increases the likelihood of attacks, potentially impacting large user bases and critical infrastructure. Additionally, compromised authentication can facilitate lateral movement within networks, escalating the severity of breaches. The vulnerability undermines trust in SAML-based single sign-on (SSO) implementations, which are widely used across European enterprises and public sector entities.

The primary mitigation is to upgrade ruby-saml to version 1.18.0 or later, where the vulnerability is fixed. Organizations should audit their software dependencies to identify and remediate any usage of vulnerable ruby-saml versions. Additionally, implement strict XML input validation and sanitization to prevent malformed XML from triggering the canonicalization flaw. Employ defense-in-depth by monitoring authentication logs for anomalies indicative of signature wrapping or authentication bypass attempts. Consider deploying Web Application Firewalls (WAFs) with rules targeting suspicious SAML assertions. Regularly update and patch all components involved in SAML processing, including Nokogiri and libxml2, to ensure no residual vulnerabilities remain. Conduct penetration testing focused on SAML authentication flows to detect potential exploitation. Finally, educate developers and security teams about the risks of improper signature verification and the importance of secure XML handling.