<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Goxmlsig - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/goxmlsig/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 25 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/goxmlsig/feed.xml" rel="self" type="application/rss+xml"/><item><title>goxmlsig Vulnerability CVE-2026-33487 Loop Variable Capture</title><link>https://feed.craftedsignal.io/briefs/2024-01-25-goxmlsig-loop-variable-capture/</link><pubDate>Thu, 25 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-25-goxmlsig-loop-variable-capture/</guid><description>A vulnerability exists in goxmlsig versions prior to 1.6.0 related to loop variable capture in the `validateSignature` function when using older Go versions, leading to incorrect signature validation.</description><content:encoded><![CDATA[<p>The goxmlsig library, which provides XML Digital Signatures implemented in Go, is vulnerable to a loop variable capture issue in versions prior to 1.6.0. Specifically, the <code>validateSignature</code> function in <code>validate.go</code> iterates through references in the <code>SignedInfo</code> block to match the signed element's ID. In Go versions before 1.22, or when <code>go.mod</code> uses an older version, the code incorrectly takes the address of the loop variable <code>_ref</code> instead of its value. This results in the <code>ref</code> pointer potentially always pointing to the last element in the <code>SignedInfo.References</code> slice after the loop, especially if multiple references match the ID or if the loop logic is flawed. The vulnerability, identified as CVE-2026-33487, can lead to signature validation bypass. goxmlsig version 1.6.0 addresses this vulnerability with a patch.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious XML document with a digital signature.</li>
<li>The crafted XML document is submitted to a Go application using goxmlsig for signature validation.</li>
<li>The <code>validateSignature</code> function in <code>validate.go</code> is invoked.</li>
<li>The function iterates through the <code>SignedInfo.References</code> slice.</li>
<li>Due to the loop variable capture issue (CVE-2026-33487), the <code>ref</code> pointer incorrectly points to the last element in the slice, especially if running Go versions older than 1.22.</li>
<li>The incorrect <code>ref</code> pointer leads to a mismatch during signature verification.</li>
<li>Despite the signature being invalid, the validation may incorrectly pass due to the flawed logic.</li>
<li>The application processes the malicious XML document as if it were genuinely signed, leading to potential data corruption or unauthorized actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to bypass signature validation in applications using goxmlsig. This can lead to severe consequences such as processing of untrusted or tampered XML data. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high impact. This could potentially impact any application relying on goxmlsig for secure XML processing, leading to data integrity compromise or unauthorized access to sensitive information.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the goxmlsig library to version 1.6.0 or later to patch CVE-2026-33487.</li>
<li>When using goxmlsig, ensure the Go version is 1.22 or higher to avoid the loop variable capture issue.</li>
<li>Implement additional validation checks on the processed XML data to detect potential tampering, even after signature validation.</li>
<li>Monitor the applications logs for error or unexpected behavior during XML signature validation using goxmlsig.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xml</category><category>signature-bypass</category><category>vulnerability</category></item></channel></rss>