CVE-2025-48994

Description

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

How to fix CVE-2025-48994

To remediate CVE-2025-48994, upgrade the affected package to a fixed version below.

• —upgrade to 4.0.5+dfsg-1 or later
• —upgrade to 4.0.4 or later

Is CVE-2025-48994 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.0.5+dfsg-1
• from 0, < 4.0.4

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48994
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-48994
• PATCHgithub.com/XML-Security/signxml
• WEBgithub.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600