CVE-2025-29775

CRITICAL

xml-crypto < 6.0.1, 3.0.0-3.2.1, < 2.1.6 - Cryptographic Signature Verification Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-29775. PoCs published by twypsy, ethicalPap.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2025-29775, demonstrating SAML response forgery via two attack vectors (v1 and v2). The PoC modifies SAML assertions and digests to bypass authentication, leveraging parser differentials in xml-crypto and Node.js libraries.

Description

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

Exploits (2)

github WORKING POC
by twypsy · pythonpoc
https://github.com/twypsy/CVE-POCs/tree/main/cve-2025-29775

The repository contains functional exploit code for CVE-2025-29775, demonstrating SAML response forgery via two attack vectors (v1 and v2). The PoC modifies SAML assertions and digests to bypass authentication, leveraging parser differentials in xml-crypto and Node.js libraries.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: xml-crypto and Node.js SAML libraries
No auth needed
Prerequisites: A file containing the HTTP POST request with a signed SAML response · The name of the POST parameter containing the SAML response · The username to append to the assertion · (Optional) Hashing algorithm to be used (sha1, sha256, sha384, sha512)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by ethicalPap · poc
https://github.com/ethicalPap/CVE-2025-29775

This repository contains a functional PoC for CVE-2025-29775, demonstrating a SAML signature verification bypass via XML comment injection in the DigestValue element. The exploit modifies a SAML response to elevate privileges by changing the NameID to 'admin' while preserving the original signature validity.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: @node-saml/node-saml (via xml-crypto library)
No auth needed
Prerequisites: Valid SAML response to modify · Access to intercept/modify SAML traffic
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References

Scores

CVSS v4 9.3
EPSS 0.0020
EPSS Percentile 41.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-347
Status published
Products (4)
node-saml/xml-crypto < 2.1.6
node-saml/xml-crypto >= 3.0.0, < 3.2.1
node-saml/xml-crypto >= 4.0.0, < 6.0.1
npm/xml-crypto 4.0.0 - 6.0.1npm
Published Mar 14, 2025
Tracked Since Feb 18, 2026