—
PYSEC-2026-1922
SignXML's signature verification with HMAC is vulnerable to a timing attack
상세
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-48995 [ADVISORY]
- https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd [WEB]
- https://github.com/XML-Security/signxml [PACKAGE]
- https://pypi.org/project/signxml [PACKAGE]
- https://github.com/advisories/GHSA-gmhf-gg8w-jw42 [ADVISORY]