CVE-2025-48995: 
Python vulnerability analysis and mitigation

SignXML, an implementation of the W3C XML Signature standard in Python, disclosed a timing attack vulnerability (CVE-2025-48995) on June 2, 2025. The vulnerability affects versions prior to 4.0.4 when verifying signatures with X509 certificate validation turned off and HMAC shared secret set. This security issue was discovered and reported by ahacker1-securesaml (GitHub Advisory).

The vulnerability occurs in the signature verification process when using the signxml.XMLVerifier.verify(require_x509=False, hmac_key=...) configuration. The verifier implementation may leak timing information during the HMAC comparison process, which could allow an attacker to reconstruct the correct HMAC for any data. The issue has been assigned a CVSS v4.0 score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The timing attack vulnerability could allow attackers to reconstruct the correct HMAC for any data by analyzing the timing differences during signature verification. This could potentially lead to signature forgery and compromise the integrity of the XML signature verification process (GitHub Advisory).

The vulnerability has been patched in SignXML version 4.0.4. The fix implements the official time-safe HMAC Verification API from the cryptography library, as evidenced by the patch commit. Users should upgrade to version 4.0.4 or later to address this security issue (GitHub Commit).