Summary: Two critical vulnerabilities have been discovered in the xml-crypto library, affecting its ability to securely verify XML signatures. Identified as CVE-2025-29774 and CVE-2025-29775, both vulnerabilities carry a CVSSv4 score of 9.3, posing serious risks for applications utilizing this library. Users are urged to upgrade to version 6.0.1 or the appropriate patch versions to mitigate these security threats.
Affected: xml-crypto library (all versions up to 6.0.0)
Keypoints :
- Both CVEs allow attackers to bypass signature verification processes.
- CVE-2025-29774 involves multiple SignedInfo nodes, allowing modification of signed XML messages.
- CVE-2025-29775 includes exploitation through comments within a DigestValue, indicating potential tampering.
- Indicators of compromise are provided to help detect these vulnerabilities during XML payload logging.
- Users still on older xml-crypto versions are strongly recommended to upgrade.