CVE-2025-29774

CRITICAL

xml-crypto < 6.0.1, 3.0.0-3.2.0, < 2.1.6 - Cryptographic Signature Verification Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-29774. PoCs published by demining, Mrrishuyt.

AI-analyzed exploit summary This repository contains a detailed writeup and analysis of CVE-2025-29774, focusing on digital signature forgery attacks in the xml-crypto library used in Node.js applications. It describes how vulnerabilities in signature verification can lead to authentication bypass and privilege escalation.

Description

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Exploits (3)

nomisec WRITEUP 4 stars
by demining · poc
https://github.com/demining/Digital-Signature-Forgery-Attack

This repository contains a detailed writeup and analysis of CVE-2025-29774, focusing on digital signature forgery attacks in the xml-crypto library used in Node.js applications. It describes how vulnerabilities in signature verification can lead to authentication bypass and privilege escalation.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: xml-crypto library (Node.js), IBM App Connect Enterprise Certified Container
No auth needed
Prerequisites: Access to a system using the vulnerable xml-crypto library · Ability to craft malicious XML documents
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by demining · poc
https://github.com/demining/Phantom-Signature-Attack

This repository contains a detailed writeup on CVE-2025-29774, a critical vulnerability in the Bitcoin protocol's SIGHASH_SINGLE implementation. It describes a Phantom Signature Attack that exploits incorrect cryptographic primitive processing to recover private keys.

Classification
Writeup 90%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Bitcoin Protocol (SIGHASH_SINGLE implementation)
No auth needed
Prerequisites: Understanding of ECDSA and secp256k1 curve · Access to vulnerable Bitcoin transaction processing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS
by Mrrishuyt · poc
https://github.com/Mrrishuyt/mrrishuyt.github.io

The repository lacks actual exploit code and instead directs users to download an external application from a GitHub releases page. The README is vague, uses marketing language, and does not provide technical details about CVE-2025-29774 or the vulnerability itself.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Bitcoin (SIGHASH_SINGLE implementation)
No auth needed
Prerequisites: User interaction to download and run external application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References

Scores

CVSS v4 9.3
EPSS 0.0047
EPSS Percentile 65.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-347
Status published
Products (4)
node-saml/xml-crypto < 2.1.6
node-saml/xml-crypto >= 3.0.0, < 3.2.1
node-saml/xml-crypto >= 4.0.0, < 6.0.1
npm/xml-crypto 4.0.0 - 6.0.1npm
Published Mar 14, 2025
Tracked Since Feb 18, 2026