216.73.217.176

CVE-2025-29774

· Published 14/03/2025 17:15 · Modified 15/03/2025 21:15

Labels: CVE-2025-29774 2025-03-14CVE-2025-29774CWE-347[email protected]

Essential information

Published
14/03/2025 17:15
Modified
15/03/2025 21:15
Author
Creator
CISA KEV
No
CWE

Description

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nodejs / xml-crypto cpe:2.3:a:nodejs:xml-crypto:2.1.6:*:*:*:*:*:*:*
nodejs / xml-crypto cpe:2.3:a:nodejs:xml-crypto:3.2.1:*:*:*:*:*:*:*
nodejs / xml-crypto cpe:2.3:a:nodejs:xml-crypto:6.0.1:*:*:*:*:*:*:*

References