xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| xml-crypto(npm) | 4.0.0 | 6.0.1 | N/A |
| xml-crypto(npm) | 3.0.0 | 3.2.1 | N/A |
| xml-crypto(npm) | 0 | 2.1.6 | N/A |
CVSS Metrics
