CVE-2025-48995

NameCVE-2025-48995
DescriptionSignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1107195

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-signxml (PTS)trixie4.0.3+dfsg-1vulnerable
sid4.0.5+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-signxmlsource(unstable)4.0.5+dfsg-11107195

Notes

https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42
Fixed by: https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd (v4.0.4)
Search for package or bug name: Reporting problems