CVE-2024-32962

Name of the Vulnerable Software and Affected Versions xml-crypto versions 4.0.0 through 5.x

Description The issue is related to the default configuration of xml-crypto not checking the authorization of the signer, only verifying the validity of the signature. This allows a malicious actor to re-sign an XML document, place the certificate in a <KeyInfo /> element, and pass the default validation checks. The library trusts any certificate provided via a digitally signed XML document's <KeyInfo /> element by default. An attacker can spoof signature verification by modifying the XML document and replacing the existing signature with one generated using a malicious private key. The estimated number of potentially affected devices is not explicitly stated, but the library is used by 402 projects and has around 1 million weekly downloads.

Recommendations For versions 4.x and 5.x, check the certificate extracted via getCertFromKeyInfo against trusted certificates before accepting the results of the validation. For versions 4.x and 5.x, set xml-crypto's getCertFromKeyInfo to () => undefined to force the use of an explicitly configured publicCert or privateKey for signature verification. Upgrade to version 6.0.0 or later to resolve the issue.