PT-2025-11289 · Unknown · Xml-Crypto
Published
2025-03-14
·
Updated
2025-05-07
·
CVE-2025-29775
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
xml-crypto versions prior to 6.0.1
xml-crypto versions prior to 3.2.1
xml-crypto versions prior to 2.1.6
Description
The vulnerability in xml-crypto allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. This could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. The issue is related to the mechanism of checking cryptographic signatures.
Recommendations
For versions prior to 6.0.1, upgrade to version 6.0.1 to receive a fix.
For versions prior to 3.2.1, upgrade to version 3.2.1 to receive a fix.
For versions prior to 2.1.6, upgrade to version 2.1.6 to receive a fix.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xml-Crypto