SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
History

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 02 Jun 2025 16:45:00 +0000

Type Values Removed Values Added
Description SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
Title SignXML's signature verification with HMAC is vulnerable to a timing attack
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-06-02T16:23:27.706Z

Updated: 2025-06-02T16:41:13.270Z

Reserved: 2025-05-29T16:34:07.174Z

Link: CVE-2025-48995

cve-icon Vulnrichment

Updated: 2025-06-02T16:41:06.346Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-02T17:15:41.063

Modified: 2025-06-02T17:32:17.397

Link: CVE-2025-48995

cve-icon Redhat

No data.