CVE-2025-66578

Name of the Vulnerable Software and Affected Versions xmlseclibs versions prior to 3.1.4

Description xmlseclibs is a PHP library used for XML Encryption and Signatures. Versions of the library before 3.1.4 contain a flaw in the libxml2 canonicalization process during document transformation that can lead to an authentication bypass. Specifically, when libxml2’s canonicalization is applied to invalid XML input, it may return an empty string instead of a canonicalized node. xmlseclibs then calculates the DigestValue based on this empty string, incorrectly assuming successful canonicalization.

Recommendations Update to version 3.1.4 or later. Treat canonicalization failures (exceptions or nil/empty outputs) as fatal and abort validation. Add explicit checks to reject when canonicalization returns nil/empty or raises errors.