SCA: security update for xml-crypto (GHSA-x3m8-899r-f7c3)

critical Tenable Cloud Security Plugin ID 421128

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to
exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or
authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The
vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature
verification checks. For example, it could be used to alter critical identity or access control
attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions
6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x
should upgrade to patched versions 2.1.6 or 3.2.1, respectively. (CVE-2025-29775)

See Also

https://github.com/advisories/GHSA-x3m8-899r-f7c3

Plugin Details

Severity: Critical

ID: 421128

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 3/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.96

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-29775

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/14/2025

Vulnerability Publication Date: 3/14/2025

Reference Information

CVE: CVE-2025-29775

cwe: CWE-347