CVE-2025-48994 – signxml

Package

Manager: pip
Name: signxml
Vulnerable Version: >=0 <4.0.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00035 pctl0.08598

Details

SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with signxml 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

Metadata

Created: 2025-06-05T00:38:20Z
Modified: 2025-06-05T00:38:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6vx8-pcwv-xhf4/GHSA-6vx8-pcwv-xhf4.json
CWE IDs: ["CWE-303"]
Alternative ID: GHSA-6vx8-pcwv-xhf4
Finding: F115
Auto approve: 1