CVE-2025-29775

March 15, 2025, 9:15 p.m.

None
No Score

Description

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Product(s) Impacted

Vendor Product Versions
Xml-crypto
  • Xml-crypto
  • 6.0.0, 3.2.0, 2.1.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-347
Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xml-crypto xml-crypto 6.0.0 / / / / / / /
a xml-crypto xml-crypto 3.2.0 / / / / / / /
a xml-crypto xml-crypto 2.1.5 / / / / / / /

References

https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed
https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98
https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07
https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6
https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1
https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1
https://github.com/node-saml/xml-crypto/security/advisories/GHSA-x3m8-899r-f7c3
https://workos.com/blog/samlstorm

Tags

security-advisories@github.com
CWE-347
2025-03-14
CVE-2025-29775

Timeline

Published: March 14, 2025, 6:15 p.m.
Last Modified: March 15, 2025, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.