Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-29774
CVE-2025-29774:
JavaScript vulnerability analysis and mitigation
Overview
CVE-2025-29774 is a critical vulnerability discovered in xml-crypto, an XML digital signature and encryption library for Node.js, affecting versions prior to 6.0.1, 3.2.1, and 2.1.6. The vulnerability was disclosed on March 14, 2025, and allows attackers to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents (GitHub Advisory, WorkOS Blog).
Technical details
The vulnerability stems from a mismatch in how XML document canonicalization is handled during signature verification. The core issue lies in how assertion digest checks are performed on non-canonicalized documents (which retain comments) while signature checks are performed on canonicalized documents (which strip comments). This discrepancy allows attackers to modify a valid signed XML message while still passing signature verification checks. The vulnerability has been assigned a CVSS v4.0 score of 9.3 CRITICAL (NVD).
Impact
An attacker can exploit this vulnerability to bypass authentication mechanisms and potentially gain unauthorized access to any user account in affected applications, including administrative accounts. The exploit requires no user interaction and could enable full account takeovers within organizations using SAML-based single sign-on. This affects systems that rely on xml-crypto for verifying signed XML documents, particularly in SAML authentication flows (WorkOS Blog, Security Online).
Mitigation and workarounds
Users are strongly advised to upgrade to version 6.0.1 of xml-crypto. For those still using older versions, patches have been backported to v3.2.1 and v2.1.6. Organizations should review their SAML logs for signs of exploitation, specifically looking for comments embedded in the DigestValue field of responses. Service providers should ensure proper tenant isolation and implement principle of least privilege for Identity Providers (GitHub Release, WorkOS Blog).
Community reactions
The vulnerability was initially reported to WorkOS, who immediately mobilized their security and engineering teams to address the issue. WorkOS proactively worked with other identity platforms, startups, and library maintainers to accelerate remediation efforts across the industry. The discovery led to a coordinated response involving multiple security teams and researchers (WorkOS Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management