xml-crypto@0.4.26 vulnerabilities

Xml digital signature and encryption library for Node.js

Direct Vulnerabilities

Known vulnerabilities in the xml-crypto package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Signature Validation Bypass

xml-crypto is a xml digital signature and encryption library for Node.js.

Affected versions of this package are vulnerable to Signature Validation Bypass. An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

How to fix Signature Validation Bypass?

Upgrade xml-crypto to version 2.0.0 or higher.

<2.0.0