cbcvebase.
CVE-2025-29774
published 2025-03-14

CVE-2025-29774: xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1…

PriorityP266critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
9.05%
94.6th percentile
xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Affected

6 ranges
VendorProductVersion rangeFixed in
node-samlxml-crypto< 2.1.62.1.6
node-samlxml-crypto
node-samlxml-crypto
node-samlxml-crypto>= 0 < 2.1.62.1.6
node-samlxml-crypto>= 3.0.0 < 3.2.13.2.1
node-samlxml-crypto>= 4.0.0 < 6.0.16.0.1

Detection & IOCsextracted from sources · hover to see the quote

urlgithub.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS xml-crypto SAML Authentication Bypass Multiple SignedInfo References (CVE-2025-29774)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse|3d|"; fast_pattern; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response"; content:"|3c|SignedInfo|3e|"; content:"|3c|SignedInfo|3e|"; distance:0; reference:url,github.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g; reference:cve,2025-29774; classtype:web-application-attack; sid:2060961; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_19, cve CVE_2025_29774, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is an HTTP POST request containing a SAMLResponse parameter. The base64-decoded body will contain a <saml2p:Response> element with TWO distinct <SignedInfo> blocks — the presence of duplicate <SignedInfo> elements is the core exploit indicator.
  • Detection requires TLS decryption (SSLDecrypt/TLSDecrypt) to inspect the POST body for the duplicate SignedInfo pattern in SAML responses.
  • The attack technique is Exploit Public-Facing Application (T1190) under Initial Access (TA0001), targeting SAML SSO endpoints that use xml-crypto for signature verification.
  • The vulnerability allows privilege escalation or user impersonation by modifying identity/access control attributes in a signed XML message that still passes signature verification — monitor for unexpected role/attribute changes in SAML assertions from otherwise valid accounts.
  • ·Red Hat has assessed that no mitigation meeting their criteria is currently available for affected packages (e.g., openshift-serverless kn-backstage-plugins-eventmesh-rhel8); patching to xml-crypto 6.0.1, 3.2.1, or 2.1.6 is the only fix.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.