CVE-2025-29775

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-29775

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29775.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-29775

Aliases

GHSA-x3m8-899r-f7c3

Related

CGA-7jcx-wjcw-xh2q

Published

2025-03-14T17:11:05.590Z

Modified

2026-02-04T02:30:53.542585Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment

Details

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/29xxx/CVE-2025-29775.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Git / github.com/node-saml/xml-crypto

Affected ranges

Type

GIT

Repo

https://github.com/node-saml/xml-crypto

Events

Introduced

07110392122a09ad8e783fa40c6580dec8d0e3db

Fixed

d80e5b77ade2f72225a2f324d5b54d20f4f4e396

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "6.0.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/node-saml/xml-crypto

Events

Introduced

f338e7a99e19afda1946c86078e8a72313f15282

Fixed

92bbddf6b986ab1bfeda6841339161dd599aa31a

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/node-saml/xml-crypto

Events

Introduced

Fixed

5d260884f48e6bc3050a7d14be13c79a5e9acdec

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.6"
        }
    ]
}

Affected versions

0.*

0.9.0

Other

v0.*

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.3.0

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.2.0

v4.*

v4.0.0

v4.0.1

v4.1.0

v5.*

v5.0.0

v5.1.0

v5.1.1

v6.*

v6.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29775.json"