CVE-2025-48995 – SignXML Timing Attack HMAC Leak

June 2, 2025

CVE ID : CVE-2025-48995

Published : June 2, 2025, 5:15 p.m. | 2 hours, 9 minutes ago

Description : SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=…`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-5036 – Autodesk Revit Use-After-Free Vulnerability

Next Article CVE-2025-48994 – SignXML Algorithm Confusion Vulnerability

Designing For TV: Principles, Patterns And Practical Guidance (Part 2)

Neo4j introduces new graph architecture that allows operational and analytics workloads to be run together

Beyond the benchmarks: Understanding the coding personalities of different LLMs

Top 10 Use Cases of Vibe Coding in Large-Scale Node.js Applications

Building smarter interactions with MCP elicitation: From clunky tool calls to seamless user experiences

From Zero to MCP: Simplifying AI Integrations with xmcp

Distribution Release: Linux Mint 22.2

Coded Smorgasbord: Basically, a Smorgasbord

Drupal 11’s AI Features: What They Actually Mean for Your Team

Drupal 11’s AI Features: What They Actually Mean for Your Team

Why Data Governance Matters More Than Ever in 2025?

Perficient Included in the IDC Market Glance for Digital Business Professional Services, 3Q25

How DevOps Teams Are Redefining Reliability with NixOS and OSTree-Powered Linux

How DevOps Teams Are Redefining Reliability with NixOS and OSTree-Powered Linux

Distribution Release: Linux Mint 22.2

‘Cronos: The New Dawn’ was by far my favorite experience at Gamescom 2025 — Bloober might have cooked an Xbox / PC horror masterpiece

CVE-2025-48995 – SignXML Timing Attack HMAC Leak

Critical Linux UDisks Daemon Vulnerability (CVE-2025-8067) Exposes Privileged Data to Local Attackers

Google Slapped with $381 Million Fine in France Over Gmail Ads, Cookie Consent Missteps

CVE-2025-6879 – “SourceCodester Best Salon Management System SQL Injection”

CVE-2025-6103 – “WiFi-soft UniBox Controller Os Command Injection Vulnerability”

New Amazon Bedrock Data Automation capabilities streamline video and audio analysis

NVIDIA’s GeForce 577.00 WHQL driver brings DLSS 4, game fixes, and new app controls

NVIDIA’s drivers are causing big problems for DOOM: The Dark Ages, but some fixes are available

Apple Intelligence page no longer reads “Available Now” — I wonder if Apple has lost faith in its AI strategy after so many delays?

Samsung ‘Galaxy Glasses’ powered by Android XR are reportedly on track to be unveiled this month

CVE-2025-28121 – Code-Projects Online Exam Mastering System XSS Vulnerability

CVE-2025-48995 – SignXML Timing Attack HMAC Leak

Related Posts