Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-29775
CVE-2025-29775:
JavaScript vulnerability analysis and mitigation
Overview
CVE-2025-29775 is a critical vulnerability discovered in xml-crypto, an XML digital signature and encryption library for Node.js, affecting versions prior to 6.0.1, 3.2.1, and 2.1.6. The vulnerability was disclosed on March 14, 2025, and allows attackers to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents (NVD, SecurityOnline).
Technical details
The vulnerability allows an attacker to modify a valid signed XML message while still passing signature verification checks. The core issue lies in how the library handles digest value verification, where XML comments within a DigestValue can be exploited. The vulnerability has received a CVSS v4.0 score of 9.3 CRITICAL, with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD, WorkOS).
Impact
The vulnerability enables attackers to bypass authentication or authorization mechanisms, potentially leading to full account takeovers within affected service providers. Attackers could alter critical identity or access control attributes, enabling privilege escalation or user impersonation, including administrative accounts. The vulnerability affects systems using xml-crypto for verifying signed XML documents, particularly in SAML-based authentication implementations (WorkOS, GitHub Advisory).
Mitigation and workarounds
Users are strongly advised to upgrade to version 6.0.1 of xml-crypto. For those still using older versions, patches have been backported to v3.2.1 and v2.1.6. Organizations should review their SAML logs for signs of exploitation, particularly looking for comments embedded in the DigestValue field of responses (GitHub Release v6.0.1, GitHub Advisory).
Community reactions
WorkOS, upon receiving the vulnerability report, immediately mobilized its security and engineering teams and deployed a fix within 24 hours for all customers. They also proactively worked with other identity platforms and startups to accelerate remediation efforts across the industry. The vulnerability has been dubbed 'SAMLStorm' due to its significant impact on SAML-based authentication systems (WorkOS).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management