I've been looking at how/if https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-impl… affects pyFF or pyXMLSecurity. First some basic facts/observations: - pyFF deals with SAML metadata and not SAML messages so the vuln described by the DUO team doesn't apply to pyFF. - its easy to imagine SAML-metadata based attacks that would be similar to this (if perhaps more difficult in practice). - pyXMLSecurity is is the default choice in pyFF but not the default choice in pySAML2 for xml signature and verification. Ever since the wrapping attacks that came out a few years ago pyXMLSecurity has taken the position that the library should only return a /processed/ reference from validation. The xmlsec.verfied function does precisely this and I have done some initial unit-tests that seem to indicate that it does so correctly - i.e the references returned by xmlsec.verified do not contain in-text comments unless #WithComment c14 method is used. However these are early results and I'll need to do more poking around to be sure. There are of course ways to shoot yourself in the foot anyway. For instance if your code does xml = parse_xml(some_text) if xmlsec.verify(xml): use_bits_from(xml) Then you're up the creek without a paddle. Instead you need to do xml = parse_xml(some_text) verified_xml = xmlsec.verified(xml) if verified_xml: use_bits_from(verified_xml) Thats it for now... more later. Cheers Leif Cheers Leif