{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70887", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-25T18:55:32.212Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-25T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-25T18:55:32.212Z"}, "descriptions": [{"lang": "en", "value": "An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ralphje/signify/issues/60"}, {"url": "https://github.com/ralphje/signify/commit/64f21c0cc06cea0536370686ca3ba7a01e4adaa8"}, {"url": "https://github.com/mtrojnar/osslsigncode/issues/475"}, {"url": "https://github.com/mtrojnar/osslsigncode/pull/477"}, {"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.11"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components"}], "id": "CVE-2025-70887", "lastModified": "2026-03-25T19:16:28.130", "metrics": {}, "published": "2026-03-25T19:16:28.130", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mtrojnar/osslsigncode/issues/475"}, {"source": "cve@mitre.org", "url": "https://github.com/mtrojnar/osslsigncode/pull/477"}, {"source": "cve@mitre.org", "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.11"}, {"source": "cve@mitre.org", "url": "https://github.com/ralphje/signify/commit/64f21c0cc06cea0536370686ca3ba7a01e4adaa8"}, {"source": "cve@mitre.org", "url": "https://github.com/ralphje/signify/issues/60"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "signify", "vendor": "ralphje"}], "analysis": {"en": {"generated_at": "2026-03-26T13:27:13.296561+00:00", "value": {"mitigation_remediation": ["Upgrade ralphje Signify to version 0.9.2 or later.", "If upgrade is not immediately feasible, restrict shell access to the signed_data.py and context.py modules and deny execution of untrusted signed data.", "Verify that the system\u2019s authentication mechanisms are correctly enforced after any updates.", "Monitor system logs for attempts to supply malformed signed data to the application."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of ralphje Signify earlier than version 0.9.2. This includes any environment using that open\u2011source signing tool before the 0.9.2 release, regardless of operating platform, as the source code locations are consistent across builds.", "description_and_impact": "The vulnerability resides in ralphje Signify, specifically in the signed_data.py and context.py components, and allows a remote attacker to manipulate signed data inputs to gain elevated privileges. The flaw originates from insufficient validation of signed payloads, enabling an adversary to influence execution context. Based on the description, the likely attack vector involves sending crafted signed data to the vulnerable component, triggering privileged code execution or privilege escalation.", "risk_and_exploitability": "Risk assessment is hampered by lack of CVSS and EPSS scores, but the vulnerability\u2019s nature\u2014remote privilege escalation\u2014suggests high severity. No known public exploits are reported and the issue is not listed in the KEV catalog, yet an attacker who can deliver unsigned or tampered signed data to the application could potentially subvert its security controls. Exploitation requires remote reach and the ability to submit signed data, so systems exposed to untrusted signed inputs should consider isolation or immediate patching."}}}}, "created": "2026-03-25T20:56:56.436992+00:00", "title": "Privilege Escalation via Signed Data Parsing in ralphje Signify", "updated": "2026-03-26T13:55:11.632334+00:00", "vendors": ["ralphje", "ralphje$PRODUCT$signify"], "weaknesses": ["CWE-285", "CWE-732"]}