UBUNTU-CVE-2025-48994

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-48994

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48994.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-48994

Upstream

CVE-2025-48994

Published

2025-06-02T17:15:00Z

Modified

2026-05-20T16:23:32.664013111Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

References

Affected packages

Ubuntu:25.10 / python-signxml

Package

Name: python-signxml
Purl: pkg:deb/ubuntu/python-signxml?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.3+dfsg-1

4.0.5+dfsg-1

4.0.5+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-signxml",
            "binary_version": "4.0.5+dfsg-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48994.json"

Ubuntu:26.04:LTS / python-signxml