CVE-2025-40934

Name

CVE-2025-40934

Description

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
issue-tracking	https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
patch	https://github.com/perl-net-saml2/perl-XML-Sig/pull/64

CPE URI	Source package	Min version	Max version
	xml::sig	== 0.27	== None
`cpe:2.3:a:xml\:\:sig_project:xml\:\:sig::::::perl::*`	\	>= 0.27	<= 0.67

Source package	Branch	Version	Maintainer	Status
perl-xml-sig	edge-community	0.68-r0	Timothy Legge <timlegge@gmail.com>	fixed
perl-xml-sig	3.23-community	0.68-r0	Timothy Legge <timlegge@gmail.com>	fixed
perl-xml-sig	3.22-community	0.68-r0	Timothy Legge <timlegge@gmail.com>	fixed

References

Match rules

Vulnerable and fixed packages