CVE-2025-40934

CRITICAL EPSS 4.0%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
9.3 CVSS 3.1
Critical
Find Similar
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures.

CVSS Details

Base Score
9.3
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
4.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-347

Affected Products 1

VendorProductVersionRange
xml\\sig_project≥0.27  –  ≤0.67

References 2

  • github.com https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
    Issue TrackingPatch
  • github.com https://github.com/perl-net-saml2/perl-XML-Sig/pull/64
    Issue Tracking

Remediation

  • github.com https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
    Issue TrackingPatch