CVE-2025-48994 – SignXML Algorithm Confusion Vulnerability

CVE ID : CVE-2025-48994

Published : June 2, 2025, 5:15 p.m. | 1 hour, 10 minutes ago

Description : SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=…`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=…)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…