CVE-2025-70887
Received Received - Intake

Privilege Escalation in ralphje Signify via signed_data.py, context.py

Vulnerability report for CVE-2025-70887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-04-01

Assigner: MITRE

Description

An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-04-01
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ralphje signify to 0.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ralphje Signify versions before 0.9.2 and allows a remote attacker to escalate privileges by exploiting issues in the signed_data.py and context.py components.

Impact Analysis

The vulnerability can allow a remote attacker to gain higher privileges than intended, potentially leading to unauthorized access or control over the affected system.

Compliance Impact

The provided information does not explicitly address how the vulnerability in ralphje Signify before v.0.9.2 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves verifying the presence and correctness of the keyUsage and extendedKeyUsage extensions in certificates used by the signify or osslsigncode components.

Specifically, you should check if the signer certificates include the digitalSignature keyUsage and the code signing extendedKeyUsage (EKU) as required by the stricter validation introduced in signify version 0.9.2 and osslsigncode release 2.11.

Commands to detect this might include using OpenSSL to inspect certificates involved in signing operations, for example:

  • openssl x509 -in <certificate.pem> -text -noout | grep -A 5 "Key Usage"
  • openssl x509 -in <certificate.pem> -text -noout | grep -A 5 "Extended Key Usage"

Additionally, reviewing logs or outputs from signify or osslsigncode signature verification processes for errors or warnings related to missing or invalid keyUsage or EKU extensions can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade to the fixed versions of the affected software:

  • Upgrade signify to version 0.9.2 or later, which includes stricter validation of keyUsage and extendedKeyUsage extensions in certificates.
  • Upgrade osslsigncode to release 2.11 or later, which adds keyUsage validation for signer certificates.

These updates enforce proper certificate validation, preventing privilege escalation via malformed or improperly validated certificates.

In addition, review your certificate issuance and signing processes to ensure that all signer certificates include the required digitalSignature keyUsage and code signing EKU extensions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart