CVE-2025-66578
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises errors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-11
Generated
2026-05-06
AI Q&A
2025-12-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66578
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
xmlseclibs xmlseclibs 3.1.3
xmlseclibs xmlseclibs 3.1.4
xmlseclibs_project xmlseclibs to 3.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in xmlseclibs version 3.1.3, a PHP library for XML Encryption and Signatures. It is caused by a flaw in the libxml2 canonicalization process during document transformation. When libxml2 canonicalization is applied to invalid XML input, it may return an empty string instead of a canonicalized node. xmlseclibs then computes the DigestValue over this empty string, mistakenly treating it as a successful canonicalization. This leads to an authentication bypass vulnerability.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to bypass authentication mechanisms that rely on XML signature validation. Because the library may accept an empty string as a valid canonicalized node, it could lead to accepting tampered or invalid XML documents as authentic, potentially compromising confidentiality, integrity, and availability of the system using xmlseclibs.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the version of the xmlseclibs library in use. Versions 3.1.3 are vulnerable, while version 3.1.4 contains the fix. Additionally, monitoring for authentication bypass attempts related to XML signature validation failures may help. There are no specific commands provided to detect this vulnerability on a network or system.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading xmlseclibs to version 3.1.4 or later. As workarounds, treat canonicalization failures (exceptions or nil/empty outputs) as fatal and abort validation, and/or add explicit checks to reject when canonicalize returns nil/empty or raises errors.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart