CVE-2025-48994 Information

Jun 03, 2025 cve

Description

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False hmac_key=...) versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4 specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only if not already restricted by the user.

Reference

https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600 https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4

Share on: