login
Re: REVISED [cpansec-cve-announce] CVE-2025-40934: XML-Sig versions 0.27 through 0.67 for Perl improperly validates XML without signatures Timothy Legge (27 Nov 2025 11:48 UTC)
Re: REVISED [cpansec-cve-announce] CVE-2025-40934: XML-Sig versions 0.27 through 0.67 for Perl improperly validates XML without signatures Timothy Legge 27 Nov 2025 11:48 UTC 
The Subject of this email was revised to reflect that the patched
version is 0.68.

The actual CVE record https://www.cve.org/CVERecord?id=CVE-2025-40934 is
correct.

Thanks to Book for pointing it out on irc.

Tim

On 2025-11-26 18:37, Timothy Legge - timlegge at cpansec.org wrote:
> ========================================================================
> CVE-2025-40934                                       CPAN Security
> Group
> ========================================================================
>
>         CVE ID:  CVE-2025-40934
>   Distribution:  XML-Sig
>       Versions:  from 0.27 before 0.68
>
>       MetaCPAN:  https://metacpan.org/dist/XML-Sig
>       VCS Repo:  https://github.com/perl-net-saml2/perl-XML-Sig
>
>
> XML-Sig prior to 0.68 for Perl improperly validates XML without
> signatures
>
> Description
> -----------
> XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML
> files if signatures are omitted.
>
> An attacker can remove the signature from the XML document to make it
> pass the verification check.
>
> XML-Sig is a Perl module to validate signatures on XML files.  An
> unsigned XML file should return an error message.  The affected
> versions return true when attempting to validate an XML file that
> contains no signatures.
>
> Problem types
> -------------
> - CWE-347 Improper Verification of Cryptographic Signature
>
> Solutions
> ---------
> Upgrade to version 0.68
>
>
> References
> ----------
> https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
> https://github.com/perl-net-saml2/perl-XML-Sig/pull/64
>
> Credits
> -------
> gttds, finder