CVE-2025-66578 affects the xmlseclibs PHP library, which is widely used for XML Encryption and Signature processing. The vulnerability stems from a flaw in the libxml2 canonicalization process invoked during XML document transformation. Specifically, when libxml2 attempts to canonicalize an invalid XML input, it may return an empty string instead of a properly canonicalized node. xmlseclibs versions prior to 3.1.4 do not treat this empty string as a failure; instead, they proceed to compute the DigestValue over the empty string. This incorrect handling results in an authentication bypass because the signature validation process is effectively circumvented. The vulnerability is classified under CWE-248 (Uncaught Exception) because xmlseclibs fails to handle exceptions or nil/empty outputs from canonicalization properly. The issue is fixed in xmlseclibs version 3.1.4, where canonicalization failures cause validation to abort. Workarounds include explicitly checking for empty or nil canonicalization results and treating such cases as fatal errors. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and low availability impact. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to the integrity of XML-based authentication and signature verification processes. Since xmlseclibs is used in PHP applications to secure XML communications, an attacker with high privileges could exploit this flaw to bypass authentication mechanisms, potentially allowing unauthorized access or manipulation of sensitive data. The confidentiality impact is high because attackers might gain access to protected resources or data. Although integrity and availability impacts are rated low, the authentication bypass could facilitate further attacks or privilege escalation. Organizations relying on XML signatures for secure transactions, identity assertions, or document validation in sectors such as finance, government, and critical infrastructure could face increased risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation, especially as attackers analyze the vulnerability. Failure to patch or implement mitigations could lead to compromise of sensitive systems and data.

European organizations should immediately upgrade xmlseclibs to version 3.1.4 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict validation checks to detect and abort processing when canonicalization returns nil, empty strings, or raises exceptions. Specifically, modify the XML signature validation logic to treat any canonicalization failure as a fatal error, preventing further processing. Conduct code audits to ensure no custom wrappers or legacy code bypass these checks. Additionally, restrict access to systems running xmlseclibs to trusted administrators only, as exploitation requires high privileges. Monitor logs for unusual XML processing errors or authentication bypass attempts. Incorporate this vulnerability into vulnerability management and patching workflows. Finally, consider employing defense-in-depth strategies such as network segmentation and application-layer firewalls to limit exposure.