Potential Timing Attack in SignXML Implementation by XML Security
CVE-2025-48995

6.9MEDIUM

Key Information:

Vendor: Xml-security
Status: Signxml
Vendor: CVE Published:; 2 June 2025

🔔 Create Xml-security Vulnerability Alert

What is CVE-2025-48995?

The SignXML library, which implements the W3C XML Signature standard in Python, is susceptible to a timing attack due to its improper handling of signature verification. Specifically, when the X509 certificate validation is disabled and a shared HMAC key is used, the library may inadvertently leak information about the correct HMAC during hash comparisons. This vulnerability exists in SignXML versions prior to 4.0.4, allowing malicious users to exploit timing discrepancies to reconstruct valid HMAC values for arbitrary data, thereby compromising the integrity of the verification process. For details on the vulnerability, please visit the references provided.

Affected Version(s)

signxml < 4.0.4

References

https://github.com/XML-Security/signxml/security/advisori...

x_refsource_CONFIRM

https://github.com/XML-Security/signxml/commit/1b501faaac...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
May 29, 2025