PYSEC-2026-1921
SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack
상세
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm.
Starting with signxml 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-48994 [ADVISORY]
- https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600 [WEB]
- https://github.com/XML-Security/signxml [PACKAGE]
- https://pypi.org/project/signxml [PACKAGE]
- https://github.com/advisories/GHSA-6vx8-pcwv-xhf4 [ADVISORY]