CVE-2025-70887

| EUVD-2025-209004 HIGH
2026-03-25 mitre GHSA-p4hh-mq57-gq8x
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 19:02 euvd
EUVD-2025-209004
Analysis Generated
Mar 25, 2026 - 19:02 vuln.today
CVE Published
Mar 25, 2026 - 00:00 nvd
HIGH 8.8

Tags

Privilege Escalation Suse

Description

An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components

Analysis

A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.

Technical Context

Signify is a Python library for verifying cryptographic signatures on executable files and security catalogs. The vulnerability resides in the signed_data.py and context.py modules, which handle the parsing and validation of signed code objects. The root cause appears to involve improper privilege boundary enforcement during signature context processing, allowing an attacker to manipulate the signature verification logic. The affected component processes Microsoft Authenticode signatures and security catalog data, making this particularly relevant for Windows executable verification workflows. The related osslsigncode project (a C-based implementation) has similar issues tracked in their GitHub repository, suggesting a shared conceptual vulnerability across multiple signature verification implementations.

Affected Products

ralphje Signify versions prior to 0.9.2 are affected, as confirmed by the commit reference (64f21c0cc06cea0536370686ca3ba7a01e4adaa8) in the official GitHub repository at https://github.com/ralphje/signify. The vulnerability impacts both the signed_data.py and context.py components. Related vulnerability tracking indicates that osslsigncode (the upstream C implementation used by Signify for core functionality) versions prior to 2.11 contain related issues, as referenced in https://github.com/mtrojnar/osslsigncode/issues/475 and addressed in https://github.com/mtrojnar/osslsigncode/releases/tag/2.11. Users relying on Signify for signature verification in production environments should prioritize upgrades.

Remediation

Upgrade ralphje Signify to version 0.9.2 or later immediately. The patch is available in the official GitHub repository at https://github.com/ralphje/signify/commit/64f21c0cc06cea0536370686ca3ba7a01e4adaa8. If using osslsigncode integration, ensure osslsigncode is updated to version 2.11 or later (https://github.com/mtrojnar/osslsigncode/releases/tag/2.11). Until patching is feasible, restrict Signify usage to trusted, air-gapped environments and avoid processing signatures from untrusted sources. Conduct a security audit of any code paths that handle signature verification or context manipulation to identify potential privilege escalation chains in dependent applications.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Share

CVE-2025-70887 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy