When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...
), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
{ "nvd_published_at": "2025-06-02T17:15:41Z", "cwe_ids": [ "CWE-208" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-06-05T00:37:19Z" }