VYPR
Critical severityOSV Advisory· Published Mar 14, 2025· Updated Apr 15, 2026

CVE-2025-29774

CVE-2025-29774

Description

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
xml-cryptonpm
>= 4.0.0, < 6.0.16.0.1
xml-cryptonpm
>= 3.0.0, < 3.2.13.2.1
xml-cryptonpm
< 2.1.62.1.6

Affected products

6

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.