CVE-2025-48995

Name of the Vulnerable Software and Affected Versions SignXML versions prior to 4.0.4

Description The issue concerns a potential timing attack when verifying signatures with X509 certificate validation turned off and HMAC shared secret set. This could allow users to reconstruct the correct HMAC for any data by comparing the user-supplied hash with the correct HMAC, potentially leaking information about the correct HMAC. The signxml.XMLVerifier.verify function is used with require x509=False and hmac key set.

Recommendations For versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the verify function with require x509=False and hmac key set until a patch is available. Restrict access to the XMLVerifier class to minimize the risk of exploitation. Avoid using the hmac key parameter in the affected verify function until the issue is resolved.