Skip to content

[GHSA-479m-364c-43vc] validateSignature Loop Variable Capture Signature Bypass in goxmldsig#7193

Open
tomasilluminati wants to merge 1 commit intotomasilluminati/advisory-improvement-7193from
tomasilluminati-GHSA-479m-364c-43vc
Open

[GHSA-479m-364c-43vc] validateSignature Loop Variable Capture Signature Bypass in goxmldsig#7193
tomasilluminati wants to merge 1 commit intotomasilluminati/advisory-improvement-7193from
tomasilluminati-GHSA-479m-364c-43vc

Conversation

@tomasilluminati
Copy link

@tomasilluminati tomasilluminati commented Mar 18, 2026

Updates

  • Description

Comments
I am the reporter of this vulnerability. While the GHSA is active and the fix is available in v1.6.0, I am requesting the assignment of a CVE identifier. Given that this is a signature bypass (High severity 7.5) in a core XML digital signature library for Go, I believe that a CVE is important for standardized tracking in industrial vulnerability scanners and compliance audits. This will ensure better visibility and protection for the wider ecosystem. And I have performed a minor correction by removing backticks from the 'Details' section. This ensures better processing and more accurate indexing by automated vulnerability management systems and search engines.

@github
Copy link
Collaborator

github commented Mar 18, 2026

Hi there @russellhaering! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to tomasilluminati/advisory-improvement-7193 March 18, 2026 21:20
@shelbyc
Copy link
Contributor

shelbyc commented Mar 19, 2026

👋 Hi @tomasilluminati, GitHub's CNA scope limits GitHub to "CVEs requested by code owners using the GitHub Security Advisories feature" (emphasis mine). In order for GitHub to issue a CVE, @russellhaering would need to follow the instructions from this document to go through the CVE request process. If he doesn't want to get a CVE from GitHub, you'll need to pursue CVE assignment from a different CNA.

@russellhaering
Copy link

russellhaering commented Mar 19, 2026

Hey, I actually assumed this would be assigned a CVE and am happy to endorse that. I’ll see if I can find a button to do that now that it’s already published.

@tomasilluminati
Copy link
Author

tomasilluminati commented Mar 19, 2026
edited
Loading

@russellhaering Thank you very much. I’m sorry for dont reaching out directly, I didn’t have the chance to mention it via the GHSA, and a colleague recommended this as the best way to contact you. So I’d be more than happy if the CVE could be carried out. Let me know if there's anything I can do to help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomasilluminati @github @shelbyc @russellhaering