CVE-2025-48994

Name of the Vulnerable Software and Affected Versions SignXML versions prior to 4.0.4

Description The issue concerns a potential algorithm confusion attack when verifying signatures with X509 certificate validation turned off and HMAC shared secret set. This could allow an attacker to supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different signature algorithm, unless the user explicitly limits the expected signature algorithms.

Recommendations For versions prior to 4.0.4, consider explicitly limiting the expected signature algorithms using the signxml.XMLVerifier.verify(expect config=...) setting to prevent algorithm confusion attacks. As a temporary workaround, consider restricting the set of accepted signature algorithms to HMAC only, if possible, until a patch is available. Update to SignXML version 4.0.4 or later, as it restricts the set of accepted signature algorithms to HMAC only when hmac key is specified.