Critical Authentication Bypass Vulnerabilities in ruby-saml Library
Two critical authentication bypass vulnerabilities have been identified in the ruby-saml library, tracked as CVE-2025-66567 and CVE-2025-66568. Both flaws affect versions up to and including 1.12.4 and allow attackers to execute Signature Wrapping attacks, potentially bypassing SAML authentication. CVE-2025-66568 is caused by Libxml2 canonicalization errors, where invalid XML input may result in an empty string during canonicalization, leading to improper Digest/Signature validation. CVE-2025-66567 arises from differences in XML parsing between ReXML and Nokogiri, resulting in inconsistent document structures and an incomplete fix for a previous vulnerability (CVE-2025-25292). Both vulnerabilities are remotely exploitable and have been rated as critical with a CVSS score of 9.3.
The issues have been addressed in ruby-saml version 1.18.0, and users are strongly advised to update to this version to mitigate the risk of authentication bypass. These vulnerabilities could allow attackers to impersonate users or gain unauthorized access to systems relying on SAML authentication via the affected library. No affected products have been specifically listed, but any application using vulnerable versions of ruby-saml is at risk. Security advisories and technical details have been published to inform the community and facilitate remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Open-source toolkit released to find and exploit affected deployments
Researchers released an open-source toolkit to help identify and exploit vulnerable SAML implementations in real-world environments. The toolkit operationalized the newly disclosed attack techniques for testing and validation.
Researchers show GitLab EE 17.8.4 compromise via SAML flaws
During the Black Hat Europe research disclosure, the attacks were demonstrated against GitLab Enterprise Edition 17.8.4, showing real-world impact on a major platform. The example illustrated that the SAML weaknesses were exploitable beyond lab conditions.
Black Hat Europe talk demonstrates new SAML signature bypass techniques
At Black Hat Europe, PortSwigger researcher Zak Fedotkin demonstrated XML signature validation bypass techniques involving attribute pollution, namespace confusion, and void canonicalization. The presentation showed how these methods could achieve full authentication bypass in Ruby and PHP SAML ecosystems.
Proof-of-concept exploits and GitHub advisories are published
Security advisories and proof-of-concept exploit material for CVE-2025-66567 were published on GitHub, providing technical details for the signature-wrapping authentication bypass. This marked a significant escalation by making exploitation guidance publicly available.
ruby-saml 1.18.0 released to fix CVE-2025-66567
The CVE-2025-66567 advisory states the vulnerability was fixed in ruby-saml version 1.18.0. The update addressed an incomplete prior fix related to parser differentials between REXML and Nokogiri.
Advisories disclose CVE-2025-66567 and CVE-2025-66568 publicly
Public reporting and vulnerability listings on December 9, 2025 disclosed the two critical ruby-saml issues, including that CVE-2025-66567 affected versions up to and including 1.12.4. The disclosures described the bugs as remotely exploitable authentication bypass vulnerabilities.
Researchers identify two critical ruby-saml authentication bypass flaws
Researchers discovered CVE-2025-66567 and CVE-2025-66568 in the ruby-saml library, showing that XML parsing and canonicalization issues could let attackers bypass SAML authentication. The flaws affect applications relying on ruby-saml for signature validation and authentication decisions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
SAML authentication broken almost beyond repair
csoonline.com
Open sourceCVE-2025-66568 - ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation
cvefeed.io
Open sourceCVE-2025-66567 - ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
cvefeed.io
Open sourceCritical Authentication Bypass Flaws Discovered in Ruby SAML Library (CVE-2025-66567 & CVE-2025-66568)
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Drupal SAML SSO auth bypass and high-severity Samba flaws disclosed
Drupal disclosed **SA-CONTRIB-2026-031**, a critical authentication bypass vulnerability in the **SAML SSO - Service Provider** module affecting versions prior to `3.1.4`. The Canadian Centre for Cyber Security warned that organizations using the product should review Drupal’s guidance and apply the vendor update, as the flaw could allow unauthorized access through affected single sign-on deployments. Separately, Samba maintainers announced upcoming security releases for versions `4.22`, `4.23`, and `4.24` to address six vulnerabilities spanning file services, domain members, and Active Directory Domain Controller components. A follow-up correction said a **CVSS 10.0** file-services issue affects uncommon configurations rather than some configurations, and clarified that one Active Directory-related flaw impacts domain members rather than AD domain controllers; administrators were urged to deploy the Samba updates promptly after release.
Jun 29, 2026
jsrsasign Flaws Enable DSA Signature Forgery and Private Key Recovery
Three high-severity vulnerabilities have been disclosed in the JavaScript cryptography library **jsrsasign**, all affecting versions before `11.1.1` and exposing DSA implementations to signature forgery and private key compromise. `CVE-2026-4600` stems from improper verification in DSA domain-parameter validation within `KJUR.crypto.DSA.setPublic` and related DSA/X.509 verification code, allowing attackers to supply malicious parameters such as `g=1` and `y=1` so forged DSA signatures or X.509 certificates are accepted as valid. The issue is classified as `CWE-347` and carries high confidentiality and integrity impact. Two additional flaws can expose DSA private keys during signing. `CVE-2026-4601` affects `KJUR.crypto.DSA.signWithMessageHash`, where the library can emit invalid signatures when `r` or `s` becomes zero instead of retrying, creating a path to recover the private key. `CVE-2026-4599` affects versions from `7.0.0` through versions before `11.1.1` and is tied to incomplete comparison logic in `getRandomBigIntegerZeroToMax` and `getRandomBigIntegerMinToMax`, which can accept out-of-range values, bias DSA nonces, and likewise enable key recovery. The disclosures were accompanied by upstream commits, pull requests, public writeups, and Snyk advisories, with all three bugs rated for high confidentiality and integrity impact and no direct availability impact.
Jun 29, 2026
Critical Cisco Webex SSO Flaw Allowed Remote User Impersonation
Cisco disclosed a critical certificate validation vulnerability in cloud-based **Webex Services** that could let an unauthenticated remote attacker bypass authentication and impersonate legitimate users in environments using single sign-on through **Webex Control Hub**. The flaw, tracked as `CVE-2026-20184` and rated **CVSS 9.8**, stems from improper certificate validation in the SSO implementation (`CWE-295`), which could cause malicious authentication tokens to be accepted as valid. Cisco said it patched the backend cloud service, but affected organizations must also manually upload a new **SAML certificate** for their Identity Provider in Webex Control Hub to fully remediate the issue. The company said there are **no workarounds**, warned that customers who do not update their SAML certificates may remain exposed and could face service disruption, and added that the vulnerability was found during internal security testing with **no known public exploitation** reported at disclosure.
Jun 29, 2026