CVE-2025-29774
Essential information
- Published
- 14/03/2025 17:15
- Modified
- 15/03/2025 21:15
- Author
- —
- Creator
- —
- CISA KEV
- No
- CWE
- —
- CVSS vector
- — — —
Description
xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| nodejs / xml-crypto | cpe:2.3:a:nodejs:xml-crypto:2.1.6:*:*:*:*:*:*:* |
| nodejs / xml-crypto | cpe:2.3:a:nodejs:xml-crypto:3.2.1:*:*:*:*:*:*:* |
| nodejs / xml-crypto | cpe:2.3:a:nodejs:xml-crypto:6.0.1:*:*:*:*:*:*:* |