CVE-2025-48994 | THREATINT

Description

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

PUBLISHED Reserved 2025-05-29 | Published 2025-06-02 | Updated 2025-06-02 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-303: Incorrect Implementation of Authentication Algorithm

Product status

< 4.0.4

affected

References

github.com/...ignxml/security/advisories/GHSA-6vx8-pcwv-xhf4

github.com/...ommit/e3c0c2b82a3329a65d917830657649c98b8c7600

cve.org (CVE-2025-48994)

nvd.nist.gov (CVE-2025-48994)

Download JSON