2352600 – (CVE-2025-29775) CVE-2025-29775 xml-crypto: xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment

Bug 2352600 (CVE-2025-29775) - CVE-2025-29775 xml-crypto: xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment

Summary: CVE-2025-29775 xml-crypto: xml-crypto Vulnerable to XML Signature Verificatio...

Keywords:
Status:	NEW
Alias:	CVE-2025-29775
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-14 18:01 UTC by OSIDB Bzimport
Modified:	2025-05-06 08:28 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-14 18:01:45 UTC

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Note You need to log in before you can comment on or make changes to this bug.