EUVD-2025-16666
GHSA-6vx8-pcwv-xhf4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
4Description
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
Analysis
A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.
Technical Context
Vulnerability type not specified by vendor. Affects SignXML.
Affected Products
['SignXML']
Remediation
Monitor vendor channels for patch availability.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | DNE | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1107195| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | fixed | 4.0.5+dfsg-2 | - |
| forky, sid | fixed | 4.2.0+dfsg-1 | - |
| (unstable) | fixed | 4.0.5+dfsg-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today