GHSA-479m-364c-43vc: validateSignature Loop Variable Capture Signature Bypass in goxmldsig

March 18, 2026

This vulnerability lets an attacker get around integrity checks for certain signed elements by replacing their content with the content from another element that is also referenced in the same signature.

References

github.com/advisories/GHSA-479m-364c-43vc
github.com/russellhaering/goxmldsig
github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc

Code Behaviors & Features

Detect and mitigate GHSA-479m-364c-43vc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →