9.3

CVE-2025-40934

EPSS 0.14%
Veröffentlicht 26.11.2025 22:34:33
Zuletzt bearbeitet 30.12.2025 15:21:37
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

XML-Sig prior to 0.68 for Perl improperly validates XML without signatures

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.

An attacker can remove the signature from the XML document to make it pass the verification check.

XML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xml::sig Project ≫ Xml::sig SwPlatformperl Version >= 0.27 <= 0.67

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.035

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.3	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/perl-net-saml2/perl-XML-Sig/issues/63

Patch

Issue Tracking

https://github.com/perl-net-saml2/perl-XML-Sig/pull/64

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-40934

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-40934

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-40934

EUVD