CVE-2025-66568 is a critical vulnerability affecting the ruby-saml library, a widely used client-side implementation for SAML authorization in Ruby applications. The vulnerability stems from an improper verification of cryptographic signatures (CWE-347) caused by the interaction between ruby-saml and the libxml2 library used via Nokogiri for XML canonicalization. Specifically, when libxml2 processes invalid XML input during canonicalization, it may return an empty string instead of a properly canonicalized node. Ruby-saml then computes the DigestValue over this empty string, mistakenly treating the signature as valid. This flaw enables a Signature Wrapping attack, where an attacker can craft malicious SAML responses that bypass authentication checks without requiring any privileges or user interaction. The vulnerability affects all ruby-saml versions up to and including 1.12.4 and is resolved in version 1.18.0. The CVSS 4.0 base score of 9.3 reflects the vulnerability's high impact on confidentiality and integrity, with network attack vector, no required privileges, and no user interaction needed. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk to applications relying on ruby-saml for SAML-based authentication, potentially allowing unauthorized access to protected resources.

For European organizations, the impact of CVE-2025-66568 is substantial, particularly for those relying on ruby-saml for SAML-based single sign-on (SSO) and federated identity management. Successful exploitation can lead to authentication bypass, allowing attackers to impersonate legitimate users, access sensitive data, and escalate privileges within enterprise environments. This threatens confidentiality and integrity of critical systems and data. Sectors such as finance, healthcare, government, and large enterprises that heavily depend on SAML for secure authentication are at heightened risk. The vulnerability could facilitate lateral movement within networks and compromise trust boundaries established by SAML assertions. Given the criticality and ease of exploitation, organizations face potential regulatory and compliance repercussions under GDPR if breaches occur. The absence of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if patches are not applied promptly.

To mitigate CVE-2025-66568, organizations should immediately upgrade ruby-saml to version 1.18.0 or later, where the vulnerability is fixed. Additionally, it is crucial to audit all SAML implementations for similar canonicalization and signature verification issues, especially those leveraging libxml2 or Nokogiri for XML processing. Implement strict input validation and XML schema validation to detect malformed or malicious XML inputs before processing. Employ runtime monitoring and anomaly detection to identify unusual authentication patterns indicative of signature wrapping attacks. Where feasible, consider adopting alternative or additional authentication mechanisms such as multi-factor authentication (MFA) to reduce reliance on SAML assertions alone. Regularly review and update dependencies and libraries to incorporate security patches promptly. Finally, conduct security awareness training for developers on secure XML processing and signature verification best practices.