Million-Download Node.js Library xml-crypto Hit by Critical Security Flaws (CVE-2025-29774, CVE-2025-29775)
do son 
Two critical vulnerabilities have been identified in the xml-crypto library, a popular Node.js library for XML digital signature and encryption. With over 1.1 million weekly downloads, the library’s flaws could have widespread implications for applications relying on it for XML signature verification.
Both vulnerabilities, CVE-2025-29774 and CVE-2025-29775, have a CVSSv4 score of 9.3, indicating their severity. Successful exploitation of these vulnerabilities can allow attackers to bypass authentication or authorization mechanisms in systems that use xml-crypto to verify signed XML documents.
CVE-2025-29774: XML Signature Verification Bypass via Multiple SignedInfo References
This vulnerability allows an attacker to modify a valid signed XML message in a way that bypasses signature verification checks. “For example,” the advisory states, “it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user.”
The vulnerability is related to the presence of multiple SignedInfo nodes within a Signature. “There should not be more than one SignedInfo node inside a Signature,” the report clarifies. “If you find multiple SignedInfo nodes, it could indicate an attack.”
CVE-2025-29775: XML Signature Verification Bypass via DigestValue Comment
Similar to CVE-2025-29774, this vulnerability enables an attacker to modify a valid signed XML message to bypass signature verification. In this case, the vulnerability lies in the presence of comments within a DigestValue. “A DigestValue should not contain comments,” the advisory emphasizes. “If you find comments within it, this may indicate tampering.”
Affected Versions and Patches
All xml-crypto versions up to and including 6.0.0 are affected by these vulnerabilities. Users are strongly advised to upgrade to version 6.0.1 as soon as possible. Users still on v2.x or v3.x should also upgrade to the associated patch version (3.2.1, 2.1.6).
Indicators of Compromise
The report provides indicators of compromise to help detect potential exploitation of these vulnerabilities. When logging XML payloads, it is crucial to check for these indicators, analyzing the decrypted version if the payload includes encrypted elements. These checks are particularly important for XML-based authentication and authorization flows, such as SAML Response payloads.
For CVE-2025-29774, indicators include the presence of multiple SignedInfo nodes within a Signature. For CVE-2025-29775, indicators include comments within a DigestValue. The report also provides code snippets to assist in detecting these vulnerabilities.
Related Posts:
- CVE-2024-32962 (CVSS 10): Critical Vulnerability in XML-Crypto Affects Millions
- js to Issue CVE for End-of-Life Versions
- Google is strengthening Android security and encourages vendors to strongly encrypt devices
- Tax Extension Malware Campaign Exploits Trusted GitHub Repositories to Deliver Remcos RAT
