GHSA-6vx8-pcwv-xhf4

Source

https://github.com/advisories/GHSA-6vx8-pcwv-xhf4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6vx8-pcwv-xhf4/GHSA-6vx8-pcwv-xhf4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6vx8-pcwv-xhf4

Aliases

CVE-2025-48994

Published

2025-06-05T00:38:20Z

Modified

2025-06-05T01:13:11.687029Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

Details

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm.

Starting with signxml 4.0.4, specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2025-06-02T17:15:40Z",
    "cwe_ids": [
        "CWE-303"
    ],
    "github_reviewed_at": "2025-06-05T00:38:20Z"
}

References

Affected packages

PyPI / signxml

Package

Name: signxml; View open source insights on deps.dev
Purl: pkg:pypi/signxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.4

Affected versions

0.*

0.0.1

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.5.0

0.6.0

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.6

2.3.0

2.4.0

2.5.2

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.8.2

2.9.0

2.10.0

2.10.1

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

4.*

4.0.0

4.0.1

4.0.2

4.0.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6vx8-pcwv-xhf4/GHSA-6vx8-pcwv-xhf4.json"