Gregor Samsa: Exploiting Java's XML Signature Verification

This report analyzes CVE-2022-34169: an integer truncation/constant-pool overflow in Java's XSLTC (Xalan) that allows an attacker to craft XSLT transforms embedded in XML signatures to produce malicious JIT-compiled classes, leading to arbitrary code execution during XML signature verification (notably affecting SAML flows). The author explains the vulnerable compilation path, the BCEL constant-pool truncation, a detailed exploitation chain to create a malicious class, the practical constraints (signed SignedInfo, secureValidation setting), and recommended mitigations such as enabling secure validation, early key allowlisting, and reducing XSLT exposure.