6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48994

CVE-2025-48994: SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm.

Starting with signxml 4.0.4, specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48994

CVE-2025-48994:

6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
signxml	pip	< 4.0.4	4.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, as described, occurs when signxml.XMLVerifier.verify is called with require_x509=False and an hmac_key is set, but without explicitly restricting expect_config to HMAC algorithms. The provided patch directly modifies the verify method in signxml/verifier.py to address this. The patch introduces logic at the beginning of the verify method to check if an hmac_key is provided. If it is, and if the expect_config.signature_methods is still at its default (meaning the user hasn't specifically configured it), the signature_methods are automatically restricted to only HMAC-based algorithms. If the user has configured signature_methods but they include non-HMAC algorithms while an hmac_key is also set, an InvalidInput exception is raised. This change directly mitigates the algorithm confusion by ensuring that the presence of an hmac_key enforces the use of HMAC algorithms. Therefore, the verify method is the function that contained the vulnerability because it lacked this enforcement, allowing for the processing of signatures with unexpected algorithms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48994: SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

CVE-2025-48994:

6.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48994: SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

6.9

6.9

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI