- Description
- xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-347
- Hype score
- Not currently trending
100万以上ダウンロードされている、Node.jsライブラリ「xml-crypto」に深刻な脆弱性(CVE-2025-29774, CVE-2025-29775) #セキュリティ対策Lab #セキュリティ #Security https://t.co/SxGHaocoet
@securityLab_jp
24 Mar 2025
43 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical flaws in xml-crypto (CVE-2025-29774, CVE-2025-29775) hit Node.js library 1.1M downloads. CVSS 9.3: Signature bypass risks escalation. Upgrade to 6.0.1! Read More: https://t.co/DhfnMGEp2R https://t.co/zWAtkCj2XE
@threatsbank
20 Mar 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerabilities in the xml-crypto library (CVE-2025-29774 & CVE-2025-29775) allow attackers to bypass XML signature verification. Update to version 6.0.1 to secure applications! ⚠️ #xmlCrypto #OpenSource #USA link: https://t.co/GwzHDCMmV0 https://t.co/NFokr2KOp2
@TweetThreatNews
19 Mar 2025
28 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-29774 ⚠️🔴 CRITICAL (9.3) 🏢 node-saml - xml-crypto 🏗️ >= 4.0.0, < 6.0.1 🔗 https://t.co/HcoAxc4f50 🔗 https://t.co/c9XkXuX1pO 🔗 https://t.co/w6c5bNXeKM 🔗 https://t.co/ERGgThfwKs #CyberCron #VulnAlert #InfoSec https://t.co/8RA9CnNRBW
@cybercronai
16 Mar 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-29774 xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2… https://t.co/E2UggsUhRK
@CVEnew
14 Mar 2025
254 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes