Headline
GHSA-9v8j-x534-2fx3: Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
Impact
That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-66567
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
Critical severity GitHub Reviewed Published Dec 8, 2025 in SAML-Toolkits/ruby-saml • Updated Dec 8, 2025
Package
Affected versions
< 1.18.0
Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
Impact
That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
References
- GHSA-9v8j-x534-2fx3
- SAML-Toolkits/ruby-saml@e9c1cdb
- GHSA-754f-8gm6-c4r2
Published to the GitHub Advisory Database
Dec 8, 2025