Security Bulletin: IBM Cloud Pak for Data is vulnerable to Improper Verification of Cryptographic Signature due to xml-crypto ( CVE-2025-29774, CVE-2025-29775 )

Summary Potential vulnerabilities in xml-crypto module CVE-2025-29774, CVE-2025-29775 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-29774 DESCRIPTION: xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js modules axios and xml-crypto (CVE-2025-27152, CVE-2025-29774, CVE-2025-29775 and CVE-2024-57965)

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to multiple vulnerabilities due to Node.js modules axios and xml-crypto. Vulnerability Details CVEID:CVE-2025-27152...

XML Signature Bypass

xml-crypto is vulnerable to an XML Signature Bypass. The vulnerability is due to improper validation of signed XML structures, allowing an attacker to modify a signed XML message while still passing signature verification checks...

XML Signature Manipulation

xml-crypto is vulnerable to an XML signature manipulation. The vulnerability is due to improper validation of signed XML documents, which allows an attacker to modify a signed XML message while still passing signature verification checks...

CVE-2025-29774

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. Th...

@boxyhq/saml-jackson (>=1.3.2 <=1.11.1), @boxyhq/saml20 (>=1.0.11 <=1.2.3) +4 more potentially affected by CVE-2025-29774 via xml-crypto (>=3.0.0 <=3.2.0)

xml-crypto NPM version =3.0.0, =1.3.2, =1.0.11, =1.13.3, =1.13.5, =2.1.0, =1.0.0, =1.0.1 Source cves: CVE-2025-29774 Source advisory: OSV:GHSA-9P8X-F768-WP2G...

@13w/soap (=0.26.0), @3wks/gae-node-nestjs (>=0.1.0 <=6.0.0-rc.0) +845 more potentially affected by CVE-2025-29774 via xml-crypto (>=0.0.10 <=2.1.5)

xml-crypto NPM version =0.0.10, =0.1.0, =1.0.4, =0.34.1, =0.34.0, =0.0.1, =0.6.1, =0.1.1, =0.16.9, =0.7.1, =1.0.0, =1.0.0, =0.1.1, =0.1.7 - @amazon-spider-tools/exchange-rate =0.1.0 and more Source cves: CVE-2025-29774 Source advisory: OSV:GHSA-9P8X-F768-WP2G...

CVE-2025-29775 xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. Th...

CVE-2025-29775 xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. Th...

CVE-2025-29774

CVE-2025-29774 concerns the xml-crypto Node.js library. The issue allows an attacker to modify a valid signed XML message such that signature verification still passes, enabling bypass of authentication/authorization in systems that rely on xml-crypto for verifying signed XML. Affected versions a...

PT-2025-11287

Name of the Vulnerable Software and Affected Versions xml-crypto versions prior to 6.0.1 xml-crypto versions prior to 3.2.1 xml-crypto versions prior to 2.1.6 Description The xml-crypto library for Node.js contains a vulnerability that allows an attacker to modify a valid signed XML message in a...

PT-2025-11289 · Unknown · Xml-Crypto

Name of the Vulnerable Software and Affected Versions: xml-crypto versions prior to 6.0.1 xml-crypto versions prior to 3.2.1 xml-crypto versions prior to 2.1.6 Description: The vulnerability in xml-crypto allows an attacker to modify a valid signed XML message in a way that still passes signature...

xml-crypto 安全漏洞

NPM xml-crypto is a digital signature and cryptography library from NPM. A security vulnerability in xml-crypto versions 4.0.0 through 6.0.0, which stems from a default configuration that does not check the authorization of the signer, allows attackers to bypass XML signature verification...

Improper Key Verification

xml-crypto is vulnerable to improper key verification. An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation...