CVE-2025-29774

Name of the Vulnerable Software and Affected Versions xml-crypto versions prior to 6.0.1 xml-crypto versions prior to 3.2.1 xml-crypto versions prior to 2.1.6

Description The xml-crypto library for Node.js contains a vulnerability that allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. This could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. The vulnerability can be exploited to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents.

Recommendations To resolve the issue, users of versions 6.0.0 and prior should upgrade to version 6.0.1. Users of versions 3.2.0 and prior should upgrade to version 3.2.1. Users of versions 2.1.5 and prior should upgrade to version 2.1.6. As a temporary workaround, consider implementing additional validation checks on signed XML messages to detect potential tampering. Restrict access to systems that rely on xml-crypto for verifying signed XML documents to minimize the risk of exploitation.