GHSA-c4cc-x928-vjw9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c4cc-x928-vjw9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-c4cc-x928-vjw9/GHSA-c4cc-x928-vjw9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c4cc-x928-vjw9
- Aliases
- Published
- 2025-12-08T17:57:33Z
- Modified
- 2025-12-09T19:52:24.819272Z
- Severity
-
- 6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation
- Details
-
Summary
An authentication bypass vulnerability exists due to a flaw in the libxml2 canonicalization process, which is used by xmlseclibs during document transformation. This weakness allows an attacker to generate a valid signature once and reuse it indefinitely. In practice, a signature created during a previous interaction - or through a misconfigured authentication flow - can be replayed to bypass authentication checks.
Details
When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296
Impact
Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.
Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.
Suggested remediation
Treat canonicalization failures (exceptions or nil/empty outputs) as fatal and abort validation. Add explicit checks: reject when canonicalize returns nil/empty or raise
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-12-09T16:18:21Z", "github_reviewed_at": "2025-12-08T17:57:33Z", "severity": "MODERATE", "cwe_ids": [ "CWE-248" ] }- References
-
- https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9
- https://nvd.nist.gov/vuln/detail/CVE-2025-66578
- https://github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6
- https://github.com/robrichards/xmlseclibs
- https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296
Affected packages
Packagist / robrichards/xmlseclibs
Package
- Name
- robrichards/xmlseclibs
- Purl
- pkg:composer/robrichards/xmlseclibs
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.1.4