Validation of SignedInfo
Description
Validation bypass in xml-security library allows signature forgery via manipulation of canonicalized DigestValue; fixed in versions 1.6.12 and 5.0.0-alpha.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Validation bypass in xml-security library allows signature forgery via manipulation of canonicalized DigestValue; fixed in versions 1.6.12 and 5.0.0-alpha.13.
Overview
CVE-2023-49087 is a vulnerability in the SimpleSAMLphp xml-security library that implements XML signatures and encryption. The flaw allows an attacker to forge an XML signature if they can manipulate the canonicalized version's DigestValue, for instance by exploiting a bug in PHP's canonicalization function. [1][2]
Exploitation
The attack exploits the signature validation process: verification requires both that the hash of the XML document matches a DigestValue and that the cryptographic signature on the SignedInfo element is valid. If an attacker can alter the canonicalized form of the document to change its DigestValue without detection, they can forge a valid signature. The exact prerequisites depend on the ability to manipulate canonicalization outside of the library's control. [2][4]
Impact
Successful exploitation allows an attacker to forge XML signatures, potentially leading to authentication bypass or data integrity compromise in applications that rely on xml-security for signature verification. The severity is high because signature validation is a critical security boundary. [2]
Mitigation
The issue has been patched in xml-security version 1.6.12 and the alpha release 5.0.0-alpha.13. Users are advised to update immediately. The commit fix (f509e3083dd7870cce5880c804b5122317287581) modifies the validation method to properly handle the canonicalized SignedInfo element before verification. [4]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simplesamlphp/xml-securityPackagist | >= 1.6.11, < 1.6.12 | 1.6.12 |
simplesamlphp/saml2Packagist | >= 5.0.0-alpha.12, < 5.0.0-alpha.13 | 5.0.0-alpha.13 |
Affected products
3- ghsa-coords2 versions
>= 5.0.0-alpha.12, < 5.0.0-alpha.13+ 1 more
- (no CPE)range: >= 5.0.0-alpha.12, < 5.0.0-alpha.13
- (no CPE)range: >= 1.6.11, < 1.6.12
- simplesamlphp/xml-securityv5Range: = 1.6.11
Patches
1f509e3083dd7Merge pull request from GHSA-ww7x-3gxh-qm6r
1 file changed · +8 −4
src/XML/SignedElementTrait.php+8 −4 modified@@ -24,6 +24,7 @@ use SimpleSAML\XMLSecurity\Utils\XPath; use SimpleSAML\XMLSecurity\XML\ds\Reference; use SimpleSAML\XMLSecurity\XML\ds\Signature; +use SimpleSAML\XMLSecurity\XML\ds\SignedInfo; use SimpleSAML\XMLSecurity\XML\ds\X509Certificate; use SimpleSAML\XMLSecurity\XML\ds\X509Data; @@ -124,12 +125,11 @@ private function validateReferenceUri(Reference $reference, DOMElement $xml): vo /** + * @param \SimpleSAML\XMLSecurity\XML\ds\SignedInfo $signedInfo * @return \SimpleSAML\XMLSecurity\XML\SignedElementInterface */ - private function validateReference(): SignedElementInterface + private function validateReference(SignedInfo $signedInfo): SignedElementInterface { - /** @var \SimpleSAML\XMLSecurity\XML\ds\Signature $this->signature */ - $signedInfo = $this->signature->getSignedInfo(); $references = $signedInfo->getReferences(); Assert::count( $references, @@ -177,8 +177,12 @@ private function verifyInternal(SignatureAlgorithmInterface $verifier): SignedEl /** @var \SimpleSAML\XMLSecurity\XML\ds\Signature $this->signature */ $signedInfo = $this->signature->getSignedInfo(); $c14nAlg = $signedInfo->getCanonicalizationMethod()->getAlgorithm(); + + // the canonicalized ds:SignedInfo element (plaintext) $c14nSignedInfo = $signedInfo->canonicalize($c14nAlg); - $ref = $this->validateReference(); + $ref = $this->validateReference( + SignedInfo::fromXML(DOMDocumentFactory::fromString($c14nSignedInfo)->documentElement), + ); if ( $verifier?->verify(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-ww7x-3gxh-qm6rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49087ghsaADVISORY
- github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.phpghsaWEB
- github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581ghsax_refsource_MISCWEB
- github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.