CVE-2025-48994: 
Python vulnerability analysis and mitigation

SignXML, an implementation of the W3C XML Signature standard in Python, disclosed a vulnerability (CVE-2025-48994) affecting versions prior to 4.0.4. The vulnerability was discovered when verifying signatures with X509 certificate validation turned off and HMAC shared secret set. The issue was reported on June 2, 2025, and has been assigned a CVSS v4.0 score of 6.9 (MEDIUM) (GitHub Advisory).

The vulnerability occurs when using the signxml.XMLVerifier.verify(requirex509=False, hmackey=...) configuration. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different asymmetric key signature algorithm. The issue has been classified as CWE-303 (Incorrect Implementation of Authentication Algorithm) (NVD).

The vulnerability could allow an attacker to bypass the intended HMAC authentication mechanism by using a different signature algorithm than expected. This could potentially lead to unauthorized access or manipulation of signed XML documents, compromising the integrity and authenticity of the verification process (GitHub Advisory).

The vulnerability has been patched in SignXML version 4.0.4. In the fixed version, specifying hmackey automatically restricts the set of accepted signature algorithms to HMAC only, if not already restricted by the user. Users should upgrade to version 4.0.4 or later to address this vulnerability. Additionally, users can mitigate the risk by explicitly restricting the allowed signature algorithms using the expectconfig parameter (GitHub Commit).