Vulnerability Description
SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
Related Weaknesses (CWE)
References
- https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98
- https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4
FAQ
What is CVE-2025-48994?
CVE-2025-48994 is a documented vulnerability. SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(...
How severe is CVE-2025-48994?
CVSS scoring is not yet available for CVE-2025-48994. Check NVD for updates.
Is there a patch for CVE-2025-48994?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.