Login Sign Up

CVE-2024-32962

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

xml-crypto versions 4.0.0 through 5.x have a critical signature validation bypass vulnerability. Attackers can forge XML signatures by replacing certificates in KeyInfo elements, allowing them to impersonate legitimate signers. This affects any Node.js application using xml-crypto for XML signature verification without additional certificate validation.

💻 Affected Systems

Products:
  • xml-crypto
Versions: 4.0.0 through 5.x
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using xml-crypto's default signature validation without explicit certificate trust configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass, data integrity compromise, and unauthorized access to sensitive systems by forging trusted XML signatures.

🟠

Likely Case

Attackers can impersonate legitimate users/services, sign malicious XML documents, and bypass signature-based security controls.

🟢

If Mitigated

With proper certificate validation or workarounds, signature verification functions correctly and prevents unauthorized modifications.

🌐 Internet-Facing: HIGH - XML signatures are commonly used in web services, APIs, and federated authentication where internet exposure is typical.
🏢 Internal Only: HIGH - Internal services using XML signatures for authentication or data integrity are equally vulnerable to internal attackers.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires modifying XML documents and generating signatures with attacker-controlled certificates, which is straightforward for attackers with XML knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0

Vendor Advisory: https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v

Restart Required: Yes

Instructions:

1. Update package.json to specify xml-crypto version 6.0.0 or higher. 2. Run npm update xml-crypto or yarn upgrade xml-crypto. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Certificate validation workaround

all

Manually validate certificates from KeyInfo against trusted certificates before accepting signature validation results.

// JavaScript implementation: const trustedCerts = [...]; const cert = signature.getCertFromKeyInfo(); if (!trustedCerts.includes(cert)) throw new Error('Untrusted certificate');

Disable KeyInfo certificate extraction

all

Force xml-crypto to use explicitly configured certificates by disabling KeyInfo certificate extraction.

// Configure xml-crypto: const sig = new SignedXml(); sig.getCertFromKeyInfo = () => undefined;

🧯 If You Can't Patch

  • Implement manual certificate validation by checking certificates from getCertFromKeyInfo() against a trusted certificate list.
  • Configure xml-crypto with getCertFromKeyInfo set to () => undefined and explicitly set publicCert or privateKey for all signature operations.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list xml-crypto to see if version is between 4.0.0 and 5.x.

Check Version:

npm list xml-crypto | grep xml-crypto

Verify Fix Applied:

Verify xml-crypto version is 6.0.0 or higher using npm list xml-crypto and test signature validation with malicious KeyInfo certificates.

📡 Detection & Monitoring

Log Indicators:

  • Failed signature validations with unexpected certificate changes
  • XML parsing errors with modified KeyInfo elements

Network Indicators:

  • Unusual XML document modifications in transit
  • Multiple signature validation attempts with different certificates

SIEM Query:

source="application.log" AND "xml-crypto" AND ("signature validation" OR "certificate mismatch")

📊 Metadata

CVE ID: CVE-2024-32962
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-347
Published: May 2, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32962, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)
CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)
CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)