CVE-2025-66568 and CVE-2025-66567 affects version ruby-saml <1.18.0 (including 1.12.4)

[pitbulk]

The 1.18.X is not affected by CVE-2025-66568 and CVE-2025-66567.

If you are using ruby-saml <= 1.18.0, upgrade!

[dentarg]

CVE-2025-66568 is GHSA-x4h9-gwv3-r4m4 (both links above go to GHSA-9v8j-x534-2fx3)

[pitbulk]

@dentarg, Fixed the wrong link, thanks.

[sundarraja]

@pitbulk Given the severity of the issue and that upgrading to v1.18 may take some time on our side, would you be able to suggest a patch or workaround that we could apply on v1.12.4 in the meantime?

[johnnyshields]

@sundarraja 1.18 should be a drop in replacement. Did you try it?

[ahacker1-securesaml]

If 1.18.0 doesn't work, you could try to backport it to 1.12.4 with PR:

e9c1cdb

[sundarraja]

Thanks @ahacker1-securesaml and @johnnyshields