/ 
XML-Sig-0.66
River stage one • 1 direct dependent • 1 total dependent
⭐ Starred 1 GitHub stars
Security Advisories (1)
CVE-2025-40934 (2025-11-26)

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures.

Changes for version 0.66 - 2025-05-08

  • Notable Changes since 0.65
    • POSSIBLE BREAKING CHANGE
    • Crypt::OpenSSL::RSA disabled use_pkcs1_padding. You will be unable
    • to verify an xml signature that uses rsa with pkcs1 padding
    • Fix test scripts for some xmlsec1 updates
  • Change Log
    • 5ceb574 Add a security policy
    • b19c023 Update Copyright and version for release
    • c42bd68 use_pkcs1_padding is no longer supported by Crypt::OpenSSL::RSA
    • fab3879 ripemd160 is disabled in xmlsec1 1.3.7
    • 2c50bb5 Fix issues with author test script
    • 1035134 xmlsec1 does not support DSAKeyValue
    • bde6403 v0.65

Documentation

SECURITY.md

Modules

XML::Sig
XML::Sig - A toolkit to help sign and verify XML Digital Signatures

Other files