GHSA-4v55-cpmv-3vcmLowCVSS 3.7

CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference DigestMethod the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

🎯 Affected products2

  • nuget/CoreWCF.Primitives:< 1.8.1
  • nuget/CoreWCF.Primitives:>= 1.9.0, < 1.9.1

🔗 References (2)