goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the reference…

goxmlsig library for XML Digital Signatures in Go contains a critical loop variable capture issue in versions prior to 1.6.0. The validateSignature function in validate.go incorrectly takes the address of loop variable _ref instead of its value when processing SignedInfo references. This occurs in Go versions before 1.22 or when using older go.mod versions. The vulnerability causes the ref pointer to always point to the last element in SignedInfo.References slice, potentially compromising XML signature validation. A patch is available in goxmlsig version 1.6.0.