Primary

Context

SignXML Timing Attack Vulnerability in HMAC Verification

Vulnerability

A timing attack vulnerability has been identified in SignXML, a Python library implementing the W3C XML Signature standard. This issue affects versions prior to 4.0.4 when verifying signatures with X509 certificate validation disabled and HMAC shared secret enabled. In this scenario, the verifier may inadvertently leak information about the correct HMAC by comparing it with the user-supplied hash. This leakage could allow users to reconstruct the correct HMAC for any given data.

Impact

Exploitation of this vulnerability could lead to a timing attack, allowing an attacker to infer information about the HMAC verification process and potentially reconstruct the correct HMAC for signed data.

Remediation

Users can upgrade to SignXML version 4.0.4 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SignXML Timing Attack Vulnerability in HMAC Verification

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating