CVE-2025-29775: xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment
(updated )
An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user.
References
- github.com/advisories/GHSA-x3m8-899r-f7c3
- github.com/node-saml/xml-crypto
- github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed
- github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98
- github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07
- github.com/node-saml/xml-crypto/releases/tag/v2.1.6
- github.com/node-saml/xml-crypto/releases/tag/v3.2.1
- github.com/node-saml/xml-crypto/releases/tag/v6.0.1
- github.com/node-saml/xml-crypto/security/advisories/GHSA-x3m8-899r-f7c3
- nvd.nist.gov/vuln/detail/CVE-2025-29775
- workos.com/blog/samlstorm
Detect and mitigate CVE-2025-29775 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →