I'm working on refactoring RubySaml right now so that it uses pure Nokogiri XML parser, which would have avoided at least one of these CVEs. It's really a mess because the current way things work RubySaml is subclassing REXML::Document, which you can't do in Nokogiri, and in the process I have found 15 year old bugs in JRuby Nokogiri, which the maintainer @flavorjones was very responsive and merged my patch. Anyway, fun times.