Authentication Bypass Vulnerability in xmlseclibs Library by Rob Richards
CVE-2025-66578

6MEDIUM

Key Information:

Vendor

Robrichards

Status
Xmlseclibs
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66578?

The xmlseclibs library, crafted in PHP for XML Encryption and Signatures, has an authentication bypass issue found in versions prior to 3.1.4. A flaw in the libxml2 canonicalization process allows for the possibility of an invalid XML input to result in an empty string being returned. Consequently, xmlseclibs calculates the DigestValue over this empty string, mistakenly presuming that the canonicalization was successful. Users are advised to upgrade to version 3.1.4 or implement workarounds that involve treating canonicalization errors as fatal and aborting validation, along with conducting explicit checks for nil/empty outputs.

Affected Version(s)

xmlseclibs < 3.1.4

References

https://github.com/robrichards/xmlseclibs/security/adviso...
x_refsource_CONFIRM
https://github.com/robrichards/xmlseclibs/commit/69fd6308...
x_refsource_MISC
https://github.com/robrichards/xmlseclibs/blob/f4131320c6...
x_refsource_MISC

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.