CVE-2025-40934
CRITICAL EPSS 4.0%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
9.3 CVSS 3.1
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago
Description
XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
4.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-347
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| xml\ | \ | sig_project | ≥0.27 – ≤0.67 |
References 2
- github.com https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
- github.com https://github.com/perl-net-saml2/perl-XML-Sig/pull/64
Remediation
- github.com https://github.com/perl-net-saml2/perl-XML-Sig/issues/63