{"url":"http://public2.vulnerablecode.io/api/packages/81147?format=json","purl":"pkg:npm/xml-crypto@4.0.0","type":"npm","namespace":"","name":"xml-crypto","version":"4.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.0.0","latest_non_vulnerable_version":"6.0.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54711?format=json","vulnerability_id":"VCID-9jj5-xy45-sue6","summary":"xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing\nDefault configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32962.json","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32962.json"},{"reference_url":"https://github.com/node-saml/xml-crypto","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca"},{"reference_url":"https://github.com/node-saml/xml-crypto/discussions/399","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/discussions/399"},{"reference_url":"https://github.com/node-saml/xml-crypto/pull/301","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/pull/301"},{"reference_url":"https://github.com/node-saml/xml-crypto/pull/445","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/pull/445"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240705-0003","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240705-0003"},{"reference_url":"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2278798","reference_id":"2278798","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2278798"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32962","reference_id":"CVE-2024-32962","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32962"},{"reference_url":"https://github.com/advisories/GHSA-2xp3-57p7-qf4v","reference_id":"GHSA-2xp3-57p7-qf4v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2xp3-57p7-qf4v"},{"reference_url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v","reference_id":"GHSA-2xp3-57p7-qf4v","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81148?format=json","purl":"pkg:npm/xml-crypto@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/xml-crypto@6.0.0"}],"aliases":["CVE-2024-32962","GHSA-2xp3-57p7-qf4v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jj5-xy45-sue6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56812?format=json","vulnerability_id":"VCID-am16-rjug-t3fa","summary":"xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References\nAn attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29774.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29774.json"},{"reference_url":"https://github.com/node-saml/xml-crypto","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1"},{"reference_url":"https://workos.com/blog/samlstorm","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://workos.com/blog/samlstorm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352596","reference_id":"2352596","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352596"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29774","reference_id":"CVE-2025-29774","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29774"},{"reference_url":"https://github.com/advisories/GHSA-9p8x-f768-wp2g","reference_id":"GHSA-9p8x-f768-wp2g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9p8x-f768-wp2g"},{"reference_url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g","reference_id":"GHSA-9p8x-f768-wp2g","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-9p8x-f768-wp2g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3374","reference_id":"RHSA-2025:3374","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3374"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3595","reference_id":"RHSA-2025:3595","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3595"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84401?format=json","purl":"pkg:npm/xml-crypto@6.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/xml-crypto@6.0.1"}],"aliases":["CVE-2025-29774","GHSA-9p8x-f768-wp2g"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-am16-rjug-t3fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56808?format=json","vulnerability_id":"VCID-jt3b-tqv6-5ybb","summary":"xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment\nAn attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29775.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29775.json"},{"reference_url":"https://github.com/node-saml/xml-crypto","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98"},{"reference_url":"https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1"},{"reference_url":"https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1"},{"reference_url":"https://workos.com/blog/samlstorm","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://workos.com/blog/samlstorm"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352600","reference_id":"2352600","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2352600"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29775","reference_id":"CVE-2025-29775","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29775"},{"reference_url":"https://github.com/advisories/GHSA-x3m8-899r-f7c3","reference_id":"GHSA-x3m8-899r-f7c3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x3m8-899r-f7c3"},{"reference_url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-x3m8-899r-f7c3","reference_id":"GHSA-x3m8-899r-f7c3","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/node-saml/xml-crypto/security/advisories/GHSA-x3m8-899r-f7c3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3374","reference_id":"RHSA-2025:3374","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3374"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3595","reference_id":"RHSA-2025:3595","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3595"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:7626","reference_id":"RHSA-2025:7626","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:7626"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84401?format=json","purl":"pkg:npm/xml-crypto@6.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/xml-crypto@6.0.1"}],"aliases":["CVE-2025-29775","GHSA-x3m8-899r-f7c3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jt3b-tqv6-5ybb"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/xml-crypto@4.0.0"}