Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
xml-security is a library that implements XML signatures and encryption. Prior to 2.3.1, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1.
AnalysisAI
Critical authentication bypass vulnerability in the simplesamlphp/xml-security library (versions before 2.3.1) that affects XML encryption using AES-GCM modes. Attackers can exploit missing authentication tag validation to brute-force decryption keys, decrypt sensitive XML data, and forge arbitrary ciphertexts without knowing encryption keys. No active exploitation detected (not in KEV), but the high CVSS score (8.2) and network-based attack vector make this a priority for organizations using affected SAML/XML security implementations.
Technical ContextAI
The xml-security library (CPE: cpe:2.3:a:simplesamlphp:xml-security:*:*:*:*:*:*:*:*) implements XML encryption and digital signatures, commonly used in SAML authentication flows. The vulnerability stems from CWE-354 (Improper Validation of Integrity Check Value) where AES-GCM encrypted XML nodes fail to validate the authentication tag length. GCM mode provides authenticated encryption, but without proper tag validation, the cryptographic integrity protection is compromised. This affects all versions prior to 2.3.1 when using aes-128-gcm, aes-192-gcm, or aes-256-gcm encryption algorithms.
RemediationAI
Primary remediation: Upgrade to xml-security version 2.3.1 or later, which includes the fix (commit fdc12449e959c610943f9fd428e95e3832d74c25). The patch adds proper validation of authentication tag length for GCM modes. Workaround: If immediate patching is not possible, consider temporarily switching to non-GCM encryption modes (e.g., AES-CBC) if your implementation allows, though this may have other security implications. Review the vendor advisory at https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-r353-4845-pr5p for detailed guidance.
More in Xml Security
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12099
GHSA-r353-4845-pr5p