CVE-2025-66578
CVE-2025-66578 is a medium-severity vulnerability in Xmlseclibs Project Xmlseclibs with a CVSS 3.x base score of 6.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-248.
Key facts
- Severity: Medium (CVSS 3.x base score 6.0)
- EPSS exploit prediction: 0% (13th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-201790
- Weakness: CWE-248
- Affected product: Xmlseclibs Project Xmlseclibs
- Published:
- Last modified:
Description
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises errors.
Frequently asked questions
- What is CVE-2025-66578?
- xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises errors.
- How severe is CVE-2025-66578?
- CVE-2025-66578 has a CVSS 3.x base score of 6.0, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability low.
- Is CVE-2025-66578 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (13th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-66578?
- CVE-2025-66578 affects Xmlseclibs Project Xmlseclibs. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-66578?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-66578 have an EU (EUVD) identifier?
- Yes. CVE-2025-66578 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-201790.
- When was CVE-2025-66578 published?
- CVE-2025-66578 was published on 2025-12-09 and last updated on 2026-06-17.
References
- https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296
- https://github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6
- https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9
Affected products (1)
- cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
More vulnerabilities in Xmlseclibs Project Xmlseclibs
- CVE-2019-3465 — High (CVSS 8.8): Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect…
- CVE-2026-32313 — High (CVSS 8.2): xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes…
All CVEs affecting Xmlseclibs Project Xmlseclibs →
Other CWE-248 vulnerabilities
- CVE-2018-11466 — Critical (CVSS 9.8): A vulnerability has been identified in SINUMERIK 808D V4.7 (All versions), SINUMERIK 808D V4.8 (All versions),…
- CVE-2024-42037 — Critical (CVSS 9.3): Vulnerability of uncaught exceptions in the Graphics module Impact: Successful exploitation of this vulnerability may…
- CVE-2025-53620 — Critical (CVSS 9.2): @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the…
- CVE-2026-46689 — High (CVSS 8.7): Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/...…
- CVE-2026-9509 — High (CVSS 8.7): An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an…
- CVE-2025-9124 — High (CVSS 8.7): A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a…