CVE-2026-33487: CWE-347: Improper Verification of Cryptographic Signature in russellhaering goxmldsig
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
AI Analysis
Technical Summary
The goxmldsig library implements XML Digital Signatures in Go. Before version 1.6.0, the validateSignature function in validate.go contains a bug where the loop variable _ref's address is taken rather than its value. This results in the ref pointer referencing only the last matching element in the SignedInfo.References slice after the loop completes, potentially causing improper verification of cryptographic signatures. This vulnerability is related to CWE-347 (Improper Verification of Cryptographic Signature) and CWE-682 (Incorrect Calculation). The issue is fixed in version 1.6.0 of goxmldsig.
Potential Impact
This vulnerability can cause the goxmldsig library to improperly verify XML digital signatures, potentially allowing attackers to bypass signature validation. The CVSS score of 7.5 (high) reflects that the vulnerability is remotely exploitable without privileges or user interaction and impacts the integrity of the system. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
A patch is available in goxmldsig version 1.6.0 that fixes the loop variable capture issue in the validateSignature function. Users of goxmldsig versions prior to 1.6.0 should upgrade to version 1.6.0 or later to remediate this vulnerability. No additional mitigations are specified by the vendor advisory.
CVE-2026-33487: CWE-347: Improper Verification of Cryptographic Signature in russellhaering goxmldsig
Description
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The goxmldsig library implements XML Digital Signatures in Go. Before version 1.6.0, the validateSignature function in validate.go contains a bug where the loop variable _ref's address is taken rather than its value. This results in the ref pointer referencing only the last matching element in the SignedInfo.References slice after the loop completes, potentially causing improper verification of cryptographic signatures. This vulnerability is related to CWE-347 (Improper Verification of Cryptographic Signature) and CWE-682 (Incorrect Calculation). The issue is fixed in version 1.6.0 of goxmldsig.
Potential Impact
This vulnerability can cause the goxmldsig library to improperly verify XML digital signatures, potentially allowing attackers to bypass signature validation. The CVSS score of 7.5 (high) reflects that the vulnerability is remotely exploitable without privileges or user interaction and impacts the integrity of the system. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
A patch is available in goxmldsig version 1.6.0 that fixes the loop variable capture issue in the validateSignature function. Users of goxmldsig versions prior to 1.6.0 should upgrade to version 1.6.0 or later to remediate this vulnerability. No additional mitigations are specified by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:16:48.971Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1efc
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 4/3/2026, 1:12:15 PM
Last updated: 5/9/2026, 9:45:12 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.